Am611 Install

Tivoli Access Manager for e-business
Version 6.1.1
Installation Guide
GC23-6502-01
Tivoli Access Manager for e-business
Version 6.1.1
Installation Guide
GC23-6502-01
Note Before using this information and the product it supports, read the information in Appendix D, Notices, on page 651.
Edition notice This edition applies to version 6, release 1, modification 1 of IBM Tivoli Access Manager (product number 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions. All rights reserved. Copyright IBM Corporation 2001, 2010. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
About this publication . . . . . . . . ix
Intended audience . . . . . . . . . . . . ix Publications . . . . . . . . . . . . . . ix IBM Tivoli Access Manager for e-business library ix Related products and publications . . . . . . xi Accessing terminology online . . . . . . . xii Accessing publications online . . . . . . . xii Ordering publications. . . . . . . . . . xiii Accessibility . . . . . . . . . . . . . . xiii Tivoli technical training . . . . . . . . . . xiii Tivoli user groups . . . . . . . . . . . . xiii Support information . . . . . . . . . . . xiii Conventions used in this publication . . . . . xiv Typeface conventions . . . . . . . . . . xiv Operating system-dependent variables and paths xv Installing language support packages for Tivoli Access Manager . . . . . . . . . . . . . Installing language support packages for IBM Tivoli Directory Server . . . . . . . . . . . . . AIX: Installing Tivoli Directory Server language packages . . . . . . . . . . . . . . HP-UX: Installing Tivoli Directory Server language packages . . . . . . . . . . . Linux: Installing Tivoli Directory Server language packages . . . . . . . . . . . . . . Solaris: Installing Tivoli Directory Server language packages . . . . . . . . . . . Windows: Installing Tivoli Directory Server language packages . . . . . . . . . . . Uninstalling Tivoli Access Manager language support packages . . . . . . . . . . . . Uninstalling IBM Tivoli Directory Server language packages . . . . . . . . . . . Locale environment variables . . . . . . . . LANG variable on UNIX or Linux systems . . . LANG variable on Windows systems . . . . . Using locale variants . . . . . . . . . . Message catalogs . . . . . . . . . . . . Text encoding (code set) support . . . . . . . Location of code set files . . . . . . . . . 37 39 39 40 41 42 43 44 45 46 47 48 48 49 50 50
Part 1. Planning for installation . . . 1

Chapter 1. Installation overview . . . . 3
Planning for deployment . . . . . . . . . . 3 Secure domain overview . . . . . . . . . . 4 Tivoli Access Manager installation components . . . 5 Tivoli Access Manager base components . . . . 5 Tivoli Access Manager Web security components . 8 Tivoli Access Manager distributed sessions management components . . . . . . . . . 9 Prerequisite products . . . . . . . . . . 10 Supported registries . . . . . . . . . . . 13 IBM Tivoli Directory Server . . . . . . . . 13 IBM z/OS LDAP Server . . . . . . . . . 13 IBM Lotus Domino Server . . . . . . . . 13 Microsoft Active Directory . . . . . . . . 13 Microsoft Active Directory Application Mode (ADAM) . . . . . . . . . . . . . . 14 Sun Java System Directory Server . . . . . . 14 Novell eDirectory . . . . . . . . . . . 14 Components and prerequisites provided with Tivoli Access Manager systems . . . . . . . . . . 15 Tivoli Access Manager base systems . . . . . 15 Tivoli Access Manager Web security systems . . 17 Tivoli Access Manager distributed sessions management systems . . . . . . . . . . 19 Installation process . . . . . . . . . . . . 21 Installation methods . . . . . . . . . . . 23 Installation wizards. . . . . . . . . . . 23 Native installation utilities . . . . . . . . 26 Software Distribution installation method . . . 26 Groups and administrator identities on UNIX and Linux systems . . . . . . . . . . . . . 30 Default port numbers . . . . . . . . . . . 33
Part 2. Base system installation . . 51

Chapter 3. Setting up the registry server . . . . . . . . . . . . . . . 53
Setting up IBM Tivoli Directory Server . . . . . 54 Preinstallation requirements . . . . . . . . 54 Installing using the installation wizard . . . . 57 Installing using native utilities . . . . . . . 58 Configuring a directory server instance for IBM Tivoli Directory Server. . . . . . . . . . 87 Configuring IBM Tivoli Directory Server for Tivoli Access Manager . . . . . . . . . 100 Setting up IBM z/OS LDAP Server . . . . . . 105 Updating schema files . . . . . . . . . 106 Adding suffixes . . . . . . . . . . . 106 Configuring Tivoli Access Manager for LDAP 106 Native authentication user administration . . . 107 Setting up Lotus Domino . . . . . . . . . 108 Creating a Tivoli Access Manager administrative user for Domino (versions 6.5, 7.0.1, 7.0.2, and 8.0) . . . . . . . . . . . . . . . . 110 Installing a Lotus Notes client on a Tivoli Access Manager system . . . . . . . . . . . 112 Setting up Microsoft Active Directory . . . . . 114 Active Directory considerations . . . . . . 114 Creating an Active Directory domain . . . . 115 Joining an Active Directory domain . . . . . 116 Creating an Active Directory administrative user 118 Changing Active Directory replication settings 119
Chapter 2. Internationalization. . . . . 35
Language support overview . . . . . . . . . 36
Copyright IBM Corp. 2001, 2010
iii
Setting up Microsoft Active Directory Application Mode (ADAM) . . . . . . . . . . . . . Installing and configuring Active Directory Application Mode (ADAM) for Tivoli Access Manager (Overview) . . . . . . . . . . Installing Access Manager with support for Active Directory Application Mode (ADAM) . . Configuring the Tivoli Access Manager schema for Active Directory Application Mode (ADAM). Configuring a default Tivoli Access Manager directory partition . . . . . . . . . . . Adding an administrator to the Tivoli Access Manager metadata directory partition . . . . Allowing anonymous bind . . . . . . . . Setting up Novell eDirectory . . . . . . . . Configuring the Novell eDirectory for Tivoli Access Manager . . . . . . . . . . . When using Novell eDirectory . . . . . . Management domain location . . . . . . . Setting up the Sun Java System Directory Server
119
120 120 121 123 124 126 127 127 129 130 132
Installing using the installation wizard . . . . Installing using native utilities. . . . . . . AIX: Installing Access Manager Runtime for Java . . . . . . . . . . . . . . HP-UX: Installing Access Manager Runtime for Java . . . . . . . . . . . . . . Linux: Installing Access Manager Runtime for Java . . . . . . . . . . . . . . Solaris: Installing Access Manager Runtime for Java . . . . . . . . . . . . . . Windows: Installing Access Manager Runtime for Java . . . . . . . . . . . . .
. 173 . 175 . 175 . 176 . 177 . 178 . 180
Chapter 8. Setting up a policy proxy server system . . . . . . . . . . . 181

Installing using the installation wizard . . . Installing using native utilities. . . . . . AIX: Installing a policy proxy server . . HP-UX: Installing a policy proxy server . Linux: Installing a policy proxy server . . Solaris: Installing a policy proxy server . . Windows: Installing a policy proxy server . . . . . . . . . . . . . . . 181 182 183 184 185 187 188
Chapter 4. Setting up a policy server

LDAP data format selection . . . . . . . Tivoli Access Manager management domains. . Creating a management domain location (example). . . . . . . . . . . . . Management domain location for an Active Directory Application Mode (ADAM) registry Installing using the installation wizard . . . . Installing using native utilities. . . . . . . AIX: Installing the policy server . . . . . HP-UX: Installing the policy server . . . . Linux: Installing the policy server . . . . Solaris: Installing the policy server . . . . Windows: Installing the policy server . . .
137
. 137 . 138 . 139 . . . . . . . . 140 141 142 142 144 146 147 149
Chapter 9. Setting up a runtime system . . . . . . . . . . . . . . 191

Installing using the installation wizard . . . . Installing using native utilities. . . . . . . AIX: Installing Access Manager Runtime . . HP-UX: Installing Access Manager Runtime . Linux: Installing Access Manager Runtime . Solaris: Installing Access Manager Runtime . Windows: Installing Access Manager Runtime . . . . . . 191 193 193 194 195 197 199
Chapter 10. Setting up a Web Portal Manager system . . . . . . . . . . 201

Installing using the installation wizard . . . . . Installing using native utilities. . . . . . . . AIX: Installing a Web Portal Manager system HP-UX: Installing a Web Portal Manager system Linux: Installing a Web Portal Manager system Solaris: Installing a Web Portal Manager system Windows: Installing a Web Portal Manager system . . . . . . . . . . . . . . Configuring WebSphere Application Server security 201 203 204 206 208 211 214 216
Chapter 5. Setting up an authorization server . . . . . . . . . . . . . . 153

Installing using the installation wizard . . . Installing using native utilities. . . . . . AIX: Installing an authorization server . . HP-UX: Installing an authorization server . Linux: Installing an authorization server . Solaris: Installing an authorization server . Windows: Installing an authorization server . . . . . . . . . . . . . . 154 155 155 156 158 159 161
Chapter 6. Setting up a development system . . . . . . . . . . . . . . 163

Installing using the installation wizard . . . . . Installing using native utilities. . . . . . . . AIX: Installing a development (ADK) system HP-UX: Installing a development (ADK) system Linux: Installing a development (ADK) system Solaris: Installing a development (ADK) system Windows: Installing a development (ADK) system . . . . . . . . . . . . . . 163 164 164 165 167 168 170
Part 3. Web security system installation . . . . . . . . . . . . 217

Chapter 11. Setting up the Access Manager Attribute Retrieval Service . . 219
Installing using the installation wizard . . . . . Installing using native utilities. . . . . . . . AIX: Installing the Access Manager Attribute Retrieval Service . . . . . . . . . . . HP-UX: Installing the Access Manager Attribute Retrieval Service . . . . . . . . . . . Linux: Installing the Access Manager Attribute Retrieval Service . . . . . . . . . . . 219 220 220 221 222
Chapter 7. Setting up an Access Manager Runtime for Java system . . 173 iv

Tivoli Access Manager Installation Guide
Solaris: Installing the Access Manager Attribute Retrieval Service . . . . . . . . . . . 223 Windows: Installing the Access Manager Attribute Retrieval Service . . . . . . . . 223
Chapter 16. Setting up a session management server . . . . . . . . 279

Preinstallation requirements . . . . . . . . Installing using the installation wizard . . . . . Installing using native utilities. . . . . . . . AIX: Installing a session management server system . . . . . . . . . . . . . . HP-UX: Installing a session management server system . . . . . . . . . . . . . . Linux: Installing a session management server system . . . . . . . . . . . . . . Solaris: Installing a session management server system . . . . . . . . . . . . . . Windows: Installing a session management server system . . . . . . . . . . . . Creating the login history database . . . . . . Deploying the Integrated Solutions Console extension . . . . . . . . . . . . . . . Deploying the Session Management Server application . . . . . . . . . . . . . . Deploying using the smscfg utility . . . . . Deploying using Session Management Server Integrated Solutions Console (ISC) . . . . . Configuring the session management server . . . Configuring the session management server using the smscfg utility . . . . . . . . . Configuring the session management server using the Integrated Solutions Console (ISC) . . 280 282 285 285 286 287 287 288 289 291 291 291 292 292 292 293
Chapter 12. Setting up the plug-in for Edge Server . . . . . . . . . . . . 225

Preinstallation requirements . . . . . . . . AIX: Installing the plug-in for Edge Server . . . Red Hat Enterprise Linux: Installing the plug-in for Edge Server . . . . . . . . . . . . . . Solaris: Installing the plug-in for Edge Server. . . Windows: Installing the plug-in for Edge Server Overview of the plug-in for Edge Server configuration . . . . . . . . . . . . . Server configuration model . . . . . . . . Server configuration concepts . . . . . . . Object space configuration model. . . . . . Single sign-on configuration model . . . . . Configuration procedure summary . . . . . 225 226 227 228 230 231 232 233 235 236 237
Chapter 13. Setting up the plug-in for Web servers . . . . . . . . . . . . 239

Preinstallation requirements . . . . . . . Installing using the installation wizard . . . . Installing using native utilities. . . . . . . Installing the plug-in for Apache Web Server Installing the plug-in for IBM HTTP Server . Installing the plug-in for Internet Information Services . . . . . . . . . . . . . Installing the plug-in for Sun Java System Web Server . . . . . . . . . . . . . . . 239 . 241 . 242 242 . 247 . 253 . 254
Chapter 17. Setting up the session management command line . . . . . 295

Preinstallation requirements . . . . . . . Installing using the installation wizard . . . . Installing using native utilities. . . . . . . AIX: Installing the session management command line . . . . . . . . . . . HP-UX: Installing the session management command line . . . . . . . . . . . Linux: Installing the session management command line . . . . . . . . . . . Solaris: Installing the session management command line . . . . . . . . . . . Windows: Installing the session management command line . . . . . . . . . . . . 295 . 296 . 298 . 298 . 299 . 301 . 302 . 304
Chapter 14. Setting up a Web security development system . . . . . . . . 259

Installing using the installation wizard . . . . Installing using native utilities. . . . . . . AIX: Installing a Web security development (ADK) system . . . . . . . . . . . HP-UX: Installing a Web security development (ADK) system . . . . . . . . . . . Linux: Installing a Web security development (ADK) system . . . . . . . . . . . Solaris: Installing a Web security development (ADK) system . . . . . . . . . . . Windows: Installing a Web security development (ADK) system . . . . . . . 259 . 260 . 261 . 262 . 263 . 264 . 265
Part 5. Reference information . . . 307

Chapter 18. Installing prerequisite products . . . . . . . . . . . . . 311
Installing the IBM Global Security Kit (GSKit) . AIX: Installing the IBM Global Security Kit (GSKit) . . . . . . . . . . . . . HP-UX: Installing the IBM Global Security Kit (GSKit) . . . . . . . . . . . . . Linux: Installing the IBM Global Security Kit (GSKit) . . . . . . . . . . . . . Solaris: Installing the IBM Global Security Kit (GSKit) . . . . . . . . . . . . . . 311 . 312 . 312 . 313 . 314
Chapter 15. Setting up WebSEAL . . . 267

Installing using the installation wizard Installing using native utilities. . . AIX: Installing WebSEAL . . . HP-UX: Installing WebSEAL . . Linux: Installing WebSEAL . . . Solaris: Installing WebSEAL . . Windows: Installing WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 269 269 270 272 273 275
Part 4. Session management system installation . . . . . . . . 277
Contents
Windows: Installing the IBM Global Security Kit (GSKit) . . . . . . . . . . . . . . Setting up the GSKit iKeyman utility . . . . Installing IBM Java Runtime . . . . . . . . AIX: Installing IBM Java Runtime . . . . . HP-UX: Installing IBM Java Runtime . . . . Linux: Installing IBM Java Runtime . . . . . Solaris: Installing IBM Java Runtime. . . . . Windows: Installing IBM Java Runtime . . . . Installing the IBM Tivoli Security Utilities . . . . AIX: Installing the IBM Tivoli Security Utilities HP-UX: Installing IBM Tivoli Security Utilities Linux: Installing IBM Tivoli Security Utilities Solaris: Installing IBM Tivoli Security Utilities Windows: Installing IBM Tivoli Security Utilities Installing the IBM Tivoli Directory Server client AIX: Installing the IBM Tivoli Directory Server client . . . . . . . . . . . . . . . HP-UX: Installing the IBM Tivoli Directory Server client . . . . . . . . . . . . . Linux: Installing the IBM Tivoli Directory Server client . . . . . . . . . . . . . . . Solaris: Installing the IBM Tivoli Directory Server client . . . . . . . . . . . . . Windows: Installing the IBM Tivoli Directory Server client . . . . . . . . . . . . . Installing IBM WebSphere Application Server . . AIX: Installing WebSphere Application Server HP-UX: Installing WebSphere Application Server . . . . . . . . . . . . . . . Linux: Installing WebSphere Application Server Solaris: Installing WebSphere Application Server Windows: Installing WebSphere Application Server . . . . . . . . . . . . . . . Installing the Web Administration Tool . . . . . AIX: Installing the Web Administration Tool . . HP-UX: Installing the Web Administration Tool Linux: Installing the Web Administration Tool Solaris: Installing the Web Administration Tool Windows: Installing the Web Administration Tool . . . . . . . . . . . . . . . Installing the Web Administration Tool into WebSphere . . . . . . . . . . . . .
315 315 318 318 319 320 321 321 323 323 323 324 325 326 327 327 328 329 330 331 333 333 334 335 336 336 338 338 339 340 341 342 344
Pre-installation requirements . . . . . . . 360 install_ldap_server scenario . . . . . . . 361 Installing the policy server (install_ammgr wizard) 369
Chapter 21. Installation wizard options 377

Access Manager Runtime Access Manager Runtime Access Manager Runtime install_amacld . . . . install_amadk . . . . install_amjrte . . . . install_ammgr . . . . install_amproxy . . . install_amrte . . . . install_amsms . . . . install_amsmscli . . . install_amweb . . . . install_amwebadk . . . install_amwebars . . . install_amwpi . . . . install_amwpm . . . . install_ldap_server . . (LDAP) . . . (Active Directory) (Domino) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 382 389 392 396 397 399 404 408 409 420 424 430 434 435 439 442
Chapter 22. pdconfig options
. . . . 447
. . . . . . . 448 451 455 457 458 459 461 462 464 465 467 468 471
Access Manager Runtime LDAP . . . . . Access Manager Runtime Active Directory . Access Manager Runtime Domino . . . . Access Manager Attribute Retrieval Service . . Access Manager Authorization Server . . . . Access Manager Runtime for Java . . . . . Access Manager Plug-in for Edge Server . . . Access Manager Plug-in for Web Servers on UNIX Access Manager Plug-in for Web Servers on Windows . . . . . . . . . . . . . . Access Manager Policy Server . . . . . . . Access Manager Policy Proxy Server . . . . Access Manager Web Portal Manager . . . . Access Manager WebSEAL . . . . . . . .
. . . . .
Chapter 23. Enabling Secure Sockets Layer (SSL) security . . . . . . . . 473

Configuring IBM Tivoli Directory Server for SSL access . . . . . . . . . . . . . . . Creating the key database file . . . . . . Requesting or creating a personal certificate . Using certificates from a Certificate Authority (CA) . . . . . . . . . . . . . . Using self-signed certificates . . . . . . Configuring a key database file for Tivoli Directory Server . . . . . . . . . . Enabling SSL for Tivoli Directory Server . . Verifying that SSL has been enabled on the server . . . . . . . . . . . . . . Enabling FIPS . . . . . . . . . . . Configuring IBM z/OS LDAP servers for SSL access . . . . . . . . . . . . . . . Setting the security options . . . . . . . Creating a key database file . . . . . . Configuring Microsoft Active Directory for SSL access . . . . . . . . . . . . . . . . 474 . 474 . 475 . 475 . 477 . 479 . 480 . 482 . 483 . 485 . 485 . 486 . 488
Chapter 19. Uninstalling components

Unconfiguring Tivoli Access Manager components Unconfiguring IBM Tivoli Directory Server . . Unconfiguring the database . . . . . . Deleting a directory server instance . . . . Removing packages . . . . . . . . . . AIX: Removing packages . . . . . . . HP-UX: Removing packages . . . . . . Linux: Removing packages . . . . . . . Solaris: Removing packages . . . . . . Windows: Removing packages . . . . .
347
. . . . . . . . . 348 349 349 350 351 351 353 354 356 357
Chapter 20. Installation wizard scenarios . . . . . . . . . . . . . 359

Installing the IBM Tivoli Directory Server (install_ldap_server wizard) . . . . . . . . 360
vi
Verifying that SSL is enabled on the Active Directory server . . . . . . . . . . . Exporting the certificate from the Active Directory server . . . . . . . . . . . Importing the certificate on the LDAP client system . . . . . . . . . . . . . . Testing SSL access . . . . . . . . . . . Configuring Active Directory Application Mode (ADAM) for SSL access . . . . . . . . . . Setting up Active Directory Application Mode (ADAM) to use SSL (Example) . . . . . . Configuring Novell eDirectory server for SSL access . . . . . . . . . . . . . . . . Creating an organizational certificate authority object . . . . . . . . . . . . . . . Creating a self-signed certificate . . . . . . Creating a server certificate for the LDAP server Enabling SSL . . . . . . . . . . . . Adding the self-signed CA certificate to the IBM key file . . . . . . . . . . . . . . Configuring Sun Java System Directory Server for SSL access . . . . . . . . . . . . . . Obtaining a server certificate . . . . . . . Installing the server certificate . . . . . . . Enabling SSL access . . . . . . . . . . Configuring the Tivoli Directory Server client for SSL access . . . . . . . . . . . . . . Creating the key database file . . . . . . . Adding the signer certificate to the client key database file . . . . . . . . . . . . . Configuring the client for SSL communications Testing SSL access from the client . . . . . Configuring SSL for server and client authentication . . . . . . . . . . . . . Creating the key database file on the client . . Requesting or creating a personal certificate on the client . . . . . . . . . . . . . . Using certificates from a Certificate Authority (CA) on the client . . . . . . . . . . . Using self-signed certificates on the client . . . Adding the signer certificate to the server key database file . . . . . . . . . . . . . Testing SSL access when using server and client authentication . . . . . . . . . . . .
488 488 489 489 491 491 495 495 496 496 497 497 498 498 499 499 501 501 502 503 503 504 504 505 505 507 508 509
Chapter 25. Setting up a Tivoli Directory Server proxy environment

Configuring the Tivoli Directory Server proxy . Type of configuration information . . . . Synchronizing server instances . . . . . Creating server instances . . . . . . . Global administration group . . . . . . Configuring the Tivoli Directory Server proxy server . . . . . . . . . . . . . . Adding back-end servers to the proxy server Partitioning to back-end servers . . . . . Setting up a proxy environment for Tivoli Access Manager . . . . . . . . . . Configuring Tivoli Access Manager to use the proxy . . . . . . . . . . . . . . . Redirecting the policy server to the proxy . . Setting access controls for the proxy . . . . Unconfiguring Tivoli Access Manager from the proxy . . . . . . . . . . . . . . .
. 535
. . . . . 535 536 537 537 537
. 538 539 . 540 . 542 . 543 . 544 . 545 . 545
Chapter 26. Tivoli Access Manager utilities . . . . . . . . . . . . . . 547

amauditcfg . . . amwebcfg . . . amwpmcfg . . . bassslcfg . . . . install_component . ivrgy_tool . . . mgrsslcfg . . . . pdbackup . . . pdconfig . . . . pdjrtecfg . . . . pdproxycfg . . . pdsmsclicfg . . . pdversion . . . pdwpicfg . . . . smscfg. . . . . svrsslcfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548 552 557 561 564 569 572 574 578 579 583 586 589 591 594 601
Chapter 27. Using response files . . . 607

Prerequisite systems . . . Base systems . . . . . Web security systems . . . Session management systems Response file template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 607 608 609 609
Chapter 24. AIX: Setting up a standby policy server. . . . . . . . . . . . 511

Preinstallation requirements . . . . . . . HACMP environment scenario . . . . . . Example HACMP configuration . . . . . Creating a standby policy server environment . Script: Setting UIDs for both the primary and standby systems . . . . . . . . . . Script: Linking files and directories on the primary system. . . . . . . . . . . Example: Verifying the primary server directories, soft links, and permissions . . . Script: Linking from the AIX system files to the shared directory on the standby system . . Example: Verifying standby server directories, soft links and permissions . . . . . . . . . . . 512 513 515 523
Chapter 28. Using software package definition files . . . . . . . . . . . 621 Chapter 29. Tivoli Access Manager registry adapter for WebSphere federated repositories. . . . . . . . 629
Tivoli Access Manager registry adapter installation Configuring the Tivoli Access Manager registry adapter . . . . . . . . . . . . . . . Configuring a Tivoli Access Manager adapter Configuring the adapter as a WebSphere custom registry . . . . . . . . . . . . . . Troubleshooting WebSphere login failure . . . .
Contents
. 527 . 529 . 530 . 532 . 533
629 629 629 631 632
vii
Tivoli Access Manager registry adapter limitations
633
Appendix A. Installing IBM Tivoli Directory Integrator . . . . . . . . . 635 Appendix B. User registry differences
General concerns . . . . . . . . . . . LDAP concerns . . . . . . . . . . . . Sun Java System Directory Server concerns . Microsoft Active Directory Application Mode (ADAM) concerns . . . . . . . . . . URAF concerns. . . . . . . . . . . . Lotus Domino Server concerns . . . . . Microsoft Active Directory Server concerns . Length of names . . . . . . . . . . .
637
. 637 . 637 . 638 . . . . . 638 639 639 639 641
Searching knowledge bases . . . . . . . . . Searching information centers . . . . . . . Searching the Internet . . . . . . . . . Obtaining fixes . . . . . . . . . . . . . Registering with IBM Software Support . . . . Receiving weekly software updates . . . . . . Contacting IBM Software Support . . . . . . Determining the business impact . . . . . . Describing problems and gathering information Submitting problems . . . . . . . . . .
645 645 645 645 646 646 647 647 648 648
Appendix D. Notices . . . . . . . . 651

Trademarks . . . . . . . . . . . . . . 653
Glossary . . . . . . . . . . . . . 655 Index . . . . . . . . . . . . . . . 665
Appendix C. Support information . . . 645
viii
About this publication

IBM Tivoli Access Manager (Tivoli Access Manager) is the software that is required to run applications in the Tivoli Access Manager product suite. It enables the integration of Tivoli Access Manager applications that provide a wide range of authorization and management solutions. Sold as an integrated solution, these products provide an access control management solution that centralizes network and application security policy for e-business applications. The IBM Tivoli Access Manager for e-business: Installation Guide explains how to install and configure IBM Tivoli Access Manager for e-business, including Tivoli Access Manager systems, session management systems, and Web security systems.
Intended audience
This guide is for system administrators responsible for the installation and deployment of Tivoli Access Manager. Readers should be familiar with the following: v PC and UNIX operating systems v Database architecture and concepts v Security management v Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and Telnet v Lightweight Directory Access Protocol (LDAP) and directory services v Authentication and authorization If you are enabling Secure Sockets Layer (SSL) communication, you also should be familiar with SSL protocol, key exchange (public and private), digital signatures, cryptographic algorithms, and certificate authorities.
Publications
This section lists publications in the IBM Tivoli Access Manager for e-business library and related documents. The section also describes how to access Tivoli publications online and how to order Tivoli publications.
IBM Tivoli Access Manager for e-business library

The following documents are in the Tivoli Access Manager for e-business library: v IBM Tivoli Access Manager for e-business: Quick Start Guide, GI11-9333 Provides steps that summarize major installation and configuration tasks. v IBM Tivoli Access Manager for e-business: Release Notes, GC23-6501 Provides information about installing and getting started, system requirements, and known installation and configuration problems. v IBM Tivoli Access Manager for e-business: Installation Guide, GC23-6502 Explains how to install and configure Tivoli Access Manager for e-business. v IBM Tivoli Access Manager for e-business: Upgrade Guide, SC23-6503 Upgrade from version 5.0, 6.0, or 6.1 to version 6.1.1. v IBM Tivoli Access Manager for e-business: Administration Guide, SC23-6504
ix
Describes the concepts and procedures for using Tivoli Access Manager. Provides instructions for performing tasks from the Web Portal Manager interface and by using the pdadmin utility. v IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide, SC23-6505 Provides background material, administrative procedures, and reference information for using WebSEAL to manage the resources of your secure Web domain. v IBM Tivoli Access Manager for e-business: Plug-in for Edge Server Administration Guide, SC23-6506 Provides instructions for integrating Tivoli Access Manager with the IBM WebSphere Edge Server application. v IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide, SC23-6507 Provides procedures and reference information for securing your Web domain using a Web server plug-in. v IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide, SC23-6509 Provides deployment considerations and operational instructions for the session management server. v IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide, SC23-6510 Provides information for enabling SSL communication in the Tivoli Access Manager environment. v IBM Tivoli Access Manager for e-business: Auditing Guide, SC23-6511 Provides information about configuring and managing audit events using the native Tivoli Access Manager approach and the Common Auditing and Reporting Service. You can also find information about installing and configuring the Common Auditing and Reporting Service. Use this service for generating and viewing operational reports. v IBM Tivoli Access Manager for e-business: Command Reference, SC23-6512 Provides reference information about the commands, utilities, and scripts that are provided with Tivoli Access Manager. v IBM Tivoli Access Manager for e-business: Administration C API Developer Reference, SC23-6513 Provides reference information about using the C language implementation of the administration API to enable an application to perform Tivoli Access Manager administration tasks. v IBM Tivoli Access Manager for e-business: Administration Java Classes Developer Reference, SC23-6514 Provides reference information about using the Java language implementation of the administration API to enable an application to perform Tivoli Access Manager administration tasks. v IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference, SC23-6515 Provides reference information about using the C language implementation of the authorization API to enable an application to use Tivoli Access Manager security. v IBM Tivoli Access Manager for e-business: Authorization Java Classes Developer Reference, SC23-6516
Provides reference information about using the Java language implementation of the authorization API to enable an application to use Tivoli Access Manager security. v IBM Tivoli Access Manager for e-business: Web Security Developer Reference, SC23-6517 Provides programming and reference information for developing authentication modules. v IBM Tivoli Access Manager for e-business: Troubleshooting Guide, GC27-2717 Provides problem determination information. v IBM Tivoli Access Manager for e-business: Error Message Reference, GI11-8157 Provides explanations and recommended actions for the messages and return code. v IBM Tivoli Access Manager for e-business: Performance Tuning Guide, SC23-6518 Provides performance tuning information for an environment consisting of Tivoli Access Manager with the IBM Tivoli Directory Server as the user registry.
Related products and publications

This section lists the IBM products that are related to and included with a Tivoli Access Manager solution.
IBM Global Security Kit

Tivoli Access Manager provides data encryption through the use of the Global Security Kit (GSKit), version 7.0. GSKit is included on the IBM Tivoli Access Manager Base CD for your particular platform, as well as on the IBM Tivoli Access Manager Web Security CDs, the IBM Tivoli Access Manager Shared Session Management CDs, and the IBM Tivoli Access Manager Directory Server CDs. The GSKit package provides the iKeyman key management utility, gsk7ikm, which creates key databases, public-private key pairs, and certificate requests. The IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide is available on the Tivoli Information Center Web site in the same section as the Tivoli Access Manager product documentation.
IBM Tivoli Directory Server

IBM Tivoli Directory Server, version 6.1, is included on the IBM Tivoli Access Manager Directory Server set of CDs for the required operating system. You can find additional information about Tivoli Directory Server at: http://www.ibm.com/software/tivoli/products/directory-server/
IBM Tivoli Directory Integrator

IBM Tivoli Directory Integrator, version 6.1.1, is included on the IBM Tivoli Directory Integrator CD for the required operating system. You can find additional information about IBM Tivoli Directory Integrator at: http://www-306.ibm.com/software/tivoli/products/directory-integrator/
IBM DB2 Universal Database

IBM DB2 Universal Database Enterprise Server Edition, version 9.1, is provided on the IBM Tivoli Access Manager Directory Server set of CDs and is installed with the Tivoli Directory Server software. DB2 is required when using Tivoli Directory
xi
Server or z/OS LDAP servers as the user registry for Tivoli Access Manager. For z/OS LDAP servers, you must separately purchase DB2. You can find additional information about DB2 at: http://www.ibm.com/software/data/db2
IBM WebSphere Application Server

WebSphere Application Server, version 6.1, is included on the IBM Tivoli Access Manager WebSphere Application Server set of CDs for the required operating system. WebSphere Application Server enables the support of the following applications: v Web Portal Manager interface, which administers Tivoli Access Manager. v Web Administration Tool, which administers Tivoli Directory Server. v Common Auditing and Reporting Service, which processes and reports on audit events. v Session management server, which manages shared session in a Web security server environment. v Attribute Retrieval Service. You can find additional information about WebSphere Application Server at: http://www.ibm.com/software/webservers/appserv/infocenter.html
Accessing terminology online

The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available at the following Tivoli software library Web site: http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm The IBM Terminology Web site consolidates the terminology from IBM product libraries in one convenient location. You can access the Terminology Web site at http://www.ibm.com/software/globalization/terminology .
Accessing publications online

The documentation CD contains the publications that are in the product library. The format of the publications is PDF, HTML, or both. Refer to the readme file on the CD for instructions on how to access the documentation. The product CD contains the publications that are in the product library. The format of the publications is PDF, HTML, or both. To access the publications using a Web browser, open the infocenter.html file. The file is in the appropriate publications directory on the product CD. IBM posts publications for this and all other Tivoli products, as they become available and whenever they are updated, to the Tivoli Documentation Central Web site at http://www.ibm.com/tivoli/documentation. Note: If you print PDF documents on other than letter-sized paper, set the option in the File Print window that allows Adobe Reader to print letter-sized pages on your local paper.
xii
Ordering publications
You can order many Tivoli publications online at http:// www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss. You can also order by telephone by calling one of these numbers: v In the United States: 800-879-2755 v In Canada: 800-426-4968 In other countries, contact your software account representative to order Tivoli publications. To locate the telephone number of your local representative, perform the following steps: 1. Go to http://www.ibm.com/e-business/linkweb/publications/servlet/pbi.wss. 2. Select your country from the list and click Go. 3. Click About this site in the main panel to see an information page that includes the telephone number of your local representative.
Accessibility
Accessibility features help users with a physical disability, such as restricted mobility or limited vision, to use software products successfully. With this product, you can use assistive technologies to hear and navigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. Visit the IBM Accessibility Center at http://www.ibm.com/alphaworks/topics/ accessibility/ for more information about IBM's commitment to accessibility. For additional information, see the Accessibility Appendix in IBM Tivoli Access Manager for e-business Installation Guide.
Tivoli technical training

For Tivoli technical training information, refer to the following IBM Tivoli Education Web site at http://www.ibm.com/software/tivoli/education.
Tivoli user groups

Tivoli user groups are independent, user-run membership organizations that provide Tivoli users with information to assist them in the implementation of Tivoli Software solutions. Through these groups, members can share information and learn from the knowledge and experience of other Tivoli users. Tivoli user groups include the following members and groups: v 23,000+ members v 144+ groups Access the link for the Tivoli Users Group at http://www.tivoli-ug.org/.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: Online Access the Tivoli Software Support site at http://www.ibm.com/software/
xiii
sysmgmt/products/support/index.html?ibmprd=tivman. Access the IBM Software Support site at http://www.ibm.com/software/support/ probsub.html . IBM Support Assistant The IBM Support Assistant is a free local software serviceability workbench that helps you resolve questions and problems with IBM software products. The Support Assistant provides quick access to support-related information and serviceability tools for problem determination. To install the Support Assistant software, go to http://www.ibm.com/software/ support/isa. Troubleshooting Guide For more information about resolving problems, see the IBM Tivoli Access Manager for e-business Installation Guide.
Conventions used in this publication

This publication uses several conventions for special terms and actions, operating system-dependent commands, and paths.
Typeface conventions
This publication uses the following typeface conventions: Bold v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) v Keywords and parameters in text Italic v Citations (examples: titles of publications, diskettes, and CDs v Words defined in text (example: a nonswitched line is called a point-to-point line) v Emphasis of words and letters (words as words example: "Use the word that to introduce a restrictive clause."; letters as letters example: "The LUN address must start with the letter L.") v New terms in text (except in a definition list): a view is a frame in a workspace that contains data. v Variables and values you must provide: ... where myname represents.... Monospace v Examples and code examples v File names, programming keywords, and other elements that are difficult to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options
xiv
Operating system-dependent variables and paths

This publication uses the UNIX convention for specifying environment variables and for directory notation. When using the Windows command line, replace $variable with % variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths. The names of environment variables are not always the same in the Windows and UNIX environments. For example, %TEMP% in Windows environments is equivalent to $TMPDIR in UNIX environments. Note: If you are using the bash shell on a Windows system, you can use the UNIX conventions.
xv
xvi
Part 1. Planning for installation

Chapter 1. Installation overview . . . . . . . 3 Planning for deployment . . . . . . . . . . 3 Secure domain overview . . . . . . . . . . 4 Tivoli Access Manager installation components . . . 5 Tivoli Access Manager base components . . . . 5 Access Manager Application Development Kit 5 Access Manager Authorization Server . . . . 5 Access Manager Policy Proxy Server . . . . 5 Access Manager Policy Server . . . . . . 6 Access Manager Runtime . . . . . . . . 6 Access Manager Runtime for Java . . . . . 6 Access Manager Web Portal Manager . . . . 7 Access Manager License . . . . . . . . 7 IBM Tivoli Security Utilities . . . . . . . 7 Tivoli Access Manager Web security components . 8 Access Manager Attribute Retrieval Service . . 8 Access Manager Plug-in for Edge Server . . . 8 Access Manager Plug-in for Web Servers . . . 8 Access Manager Web Security Runtime . . . 8 Access Manager Web Security Application Development Kit . . . . . . . . . . . 8 Access Manager WebSEAL. . . . . . . . 8 Tivoli Access Manager distributed sessions management components . . . . . . . . . 9 Access Manager Session Management Server . 9 Access Manager Session Management Command Line . . . . . . . . . . . 9 Prerequisite products . . . . . . . . . . 10 IBM Global Security Kit (GSKit) . . . . . 10 IBM Java Runtime . . . . . . . . . . 11 IBM Tivoli Directory Server client . . . . . 11 IBM Tivoli Directory Server . . . . . . . 11 IBM Tivoli Directory Server Web Administration Tool . . . . . . . . . 11 IBM WebSphere Application Server . . . . 12 IBM Network Authentication Service Toolkit 12 Supported registries . . . . . . . . . . . 13 IBM Tivoli Directory Server . . . . . . . . 13 IBM z/OS LDAP Server . . . . . . . . . 13 IBM Lotus Domino Server . . . . . . . . 13 Microsoft Active Directory . . . . . . . . 13 Microsoft Active Directory Application Mode (ADAM) . . . . . . . . . . . . . . 14 Sun Java System Directory Server . . . . . . 14 Novell eDirectory . . . . . . . . . . . 14 Components and prerequisites provided with Tivoli Access Manager systems . . . . . . . . . . 15 Tivoli Access Manager base systems . . . . . 15 Tivoli Access Manager Web security systems . . 17 Tivoli Access Manager distributed sessions management systems . . . . . . . . . . 19 Installation process . . . . . . . . . . . . 21 Installation methods . . . . . . . . . . . 23 Installation wizards. . . . . . . . . . . 23 Installing in graphical mode . . . . . . . 23 Installing in console mode . . . . . . . 25
Installing in response file mode. . . Native installation utilities . . . . . Software Distribution installation method Edit and import the software package definition files . . . . . . . . Generate a software package block file Deploy the software package blocks . Groups and administrator identities on UNIX Linux systems . . . . . . . . . . Default port numbers . . . . . . . .
. . .
. . .
. 25 . 26 . 26 . 27 . 28 . 28 . 30 . 33 35 36 37 39 39 40 41 42 43 44 45 45 45 45 45 45 46 47 48 48 49 50 50
. . . . . . and . . . .
Chapter 2. Internationalization . . . . . . . Language support overview . . . . . . . . . Installing language support packages for Tivoli Access Manager . . . . . . . . . . . . . Installing language support packages for IBM Tivoli Directory Server . . . . . . . . . . . . . AIX: Installing Tivoli Directory Server language packages . . . . . . . . . . . . . . HP-UX: Installing Tivoli Directory Server language packages . . . . . . . . . . . Linux: Installing Tivoli Directory Server language packages . . . . . . . . . . . . . . Solaris: Installing Tivoli Directory Server language packages . . . . . . . . . . . Windows: Installing Tivoli Directory Server language packages . . . . . . . . . . . Uninstalling Tivoli Access Manager language support packages . . . . . . . . . . . . Uninstalling IBM Tivoli Directory Server language packages . . . . . . . . . . . AIX: Removing language packages . . . . HP-UX: Removing language packages . . . Linux: Removing language packages . . . . Solaris: Removing language packages. . . . Windows: Removing language packages. . . Locale environment variables . . . . . . . . LANG variable on UNIX or Linux systems . . . LANG variable on Windows systems . . . . . Using locale variants . . . . . . . . . . Message catalogs . . . . . . . . . . . . Text encoding (code set) support . . . . . . . Location of code set files . . . . . . . . .
Chapter 1. Installation overview

It is important that you create a deployment plan before installing Tivoli Access Manager software on the systems in your distributed environment. If you already have Tivoli Access Manager software installed, review your previous deployment plan to determine the best method for upgrading to the most current version, and follow the instructions provided in the IBM Tivoli Access Manager for e-business: Upgrade Guide. Note: For the latest release information, including system requirements, disk space and memory requirements, and known defects and limitations, consult the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. This chapter includes the following sections: v Planning for deployment v Secure domain overview on page 4 v Tivoli Access Manager installation components on page 5 v Supported registries on page 13 v Components and prerequisites provided with Tivoli Access Manager systems on page 15 v Installation process on page 21 v Installation methods on page 23 v Groups and administrator identities on UNIX and Linux systems on page 30 v Default port numbers on page 33
Planning for deployment

Before you implement a particular Tivoli Access Manager solution, you must determine the specific security and management capabilities that are required for your network. The first step in planning the deployment of a Tivoli Access Manager security environment is to define the security requirements for your computing environment. Defining security requirements means determining the business policies that must apply to users, programs, and data. This definition should include: v Objects to be secured v Actions permitted on each object v Users that are permitted to perform the actions Enforcing a security policy requires an understanding of the flow of access requests through your network topology. Your plan should identify proper roles and locations for firewalls, routers, and subnets. Deploying a Tivoli Access Manager security environment also requires identifying the optimal points within the network for installing software that evaluates user access requests, and grants or denies the requested access. Implementation of a security policy requires understanding the quantity of users, data, and throughput that your network must accommodate. You must evaluate
performance characteristics, scalability, and the need for failover capabilities. Integration of previous versions of software, databases, and applications with Tivoli Access Manager software must also be considered. After you have an understanding of the features that you want to deploy, you can decide which Tivoli Access Manager systems and blades can be combined to best implement your security policy. For Tivoli Access Manager, a blade is a component that provides application-specific services and components. For useful planning documentation, including actual business scenarios, see supplemental product information at the following Web sites: http://www.ibm.com/redbooks/ http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
Secure domain overview

The computing environment in which Tivoli Access Manager enforces security policies for authentication, authorization, and access control is called a secure domain. The initial secure domain, called the management domain, is created when you install and configure the following systems: Policy server Maintains the master authorization database for the management domain. In addition, it updates authorization database replicas and maintains location information about other Tivoli Access Manager servers. Registry Provides a database of the user identities known to Tivoli Access Manager. It also provides a representation of groups in Tivoli Access Manager roles that are associated with users. These core systems must exist for Tivoli Access Manager to perform fundamental operations, such as permitting or denying user access to protected objects (resources). All other Tivoli Access Manager services and components are built on this base. You can deploy Tivoli Access Manager on multiple systems or install all the software necessary to configure and use the management domain on one standalone system. A single system setup is useful only when prototyping a deployment or developing and testing an application. After you configure the policy server and registry server, you can set up additional systems in the management domain, such as an authorization server or application development system. You can also create additional secure domains (if using an LDAP registry) to securely partition data into separate, logical groupings. For information about creating multiple domains, see the IBM Tivoli Access Manager for e-business: Administration Guide.
Tivoli Access Manager installation components

This section introduces Tivoli Access Manager base and prerequisite components, which are generally common to all Tivoli Access Manager installations. Use these installation components to set up Tivoli Access Manager systems listed in Components and prerequisites provided with Tivoli Access Manager systems on page 15. Sections include the following: v Tivoli Access Manager base components v Tivoli Access Manager Web security components on page 8 v Tivoli Access Manager distributed sessions management components on page 9 v Prerequisite products on page 10 Note: When installing Tivoli Access Manager on an Windows operating system, you can specify a nondefault installation path. Ensure that the installation path that you specify does not include any national language version (NLV) characters.
Tivoli Access Manager base components

The Tivoli Access Manager base system includes the following installation components. These components are on the IBM Tivoli Access Manager Base CD for the supported platforms. Use these installation components to set up base systems listed in Components and prerequisites provided with Tivoli Access Manager systems on page 15.
Access Manager Application Development Kit

The Access Manager Application Development Kit provides a development environment that enables you to code third-party applications to query the authorization server for authorization decisions. This kit contains support for using both C APIs and Java classes for authorization and administration functions. To run the Java program or to compile and run your own Java programs, you must install and configure a Tivoli Access Manager Runtime for Java system.
Access Manager Authorization Server

The Access Manager Authorization Server provides access to the authorization service for third-party applications that use the Tivoli Access Manager authorization API in remote cache mode. The authorization server also acts as a logging and auditing collection server to store records of server activity.
Access Manager Policy Proxy Server

The Access Manager Policy Proxy Server is used to set up a proxy server, which acts as an intermediary between a less trusted network and a more trusted network. This server ensures security and provides administrative control and caching services. It is associated with, or part of, a gateway server that separates the enterprise network from the outside network, and a firewall server that protects the enterprise network from outside intrusion. In a Tivoli Access Manager environment, the proxy server runs on behalf of the policy server for a given number of authorization applications and administrative functions, such as pdadmin commands.
Access Manager Policy Server

The Access Manager Policy Server maintains the master authorization database for the management domain as well as the policy databases associated with other secure domains that you might decide to create. This server is key to the processing of access control, authentication, and authorization requests. It also updates authorization database replicas and maintains location information about other Tivoli Access Manager servers. Tivoli Access Manager supports the use of one standby policy server. However, the standby policy server must be installed on a supported AIX system that has the High Availability Cluster Multiprocessing (HACMP) software installed and configured on it. The HACMP software provides a clustering solution that is designed to provide high-availability access to business-critical data and application through component redundancy and application failover. In environments with a standby policy server, when the policy server goes down, the standby policy server takes over and acts as the primary policy server until the primary policy server assumes its original role. In turn, the standby policy server reverts back to a standby role. At any given time, there is only one active policy server and only one shared copy of the policy databases.
Access Manager Runtime

The Access Manager Runtime contains runtime libraries and supporting files that applications can use to access Tivoli Access Manager servers. You must install and configure the Access Manager Runtime component on each system that runs Tivoli Access Manager, with the exception of Access Manager Runtime for Java systems, the Access Manager Attribute Retrieval Service, and the distributed sessions management systems.
Access Manager Runtime for Java

The Access Manager Runtime for Java offers a reliable environment for developing and deploying Java applications in a Tivoli Access Manager secure domain. Use it to add Tivoli Access Manager authorization and security services to new or existing Java applications. You can use the pdjrtecfg command to configure a Java Runtime Environment (JRE) to use Tivoli Access Manager Java security. Note that if you plan to install the Web Portal Manager interface, this component is required. It is also required with the Access Manager Application Development Kit component if you are a developer using Access Manager Runtime for Java classes. For more information, see the IBM Tivoli Access Manager for e-business: Administration Java Classes Developer Reference and the IBM Tivoli Access Manager for e-business: Authorization Java Classes Developer Reference.
Access Manager Web Portal Manager

The Access Manager Web Portal Manager is a Web-based graphical user interface (GUI) used for Tivoli Access Manager administration. The GUI counterpart to the pdadmin command line interface, Web Portal Manager provides management of users, groups, roles, permissions, policies, and other Tivoli Access Manager tasks. A key advantage of using Web Portal Manager is that you can perform these tasks remotely, without requiring any special network configuration. The Web Portal Manager interface also includes a set of delegated management services that enables a business to delegate user administration, group and role administration, security administration, and application access provisioning to participants (sub-domains) in the business system. These sub-domains can further delegate management and administration to trusted sub-domains under their control. Supported browsers for the Web Portal Manager interface are as follows: v Microsoft Internet Explorer 5.5, 6.0 and 7.0 v Mozilla 1.7
Access Manager License

This component contains license information for Tivoli Access Manager. The Access Manager License component is installed automatically when an installation wizard is used to install either the Access Manager Runtime or the Access Manager Runtime for Java component. This component is provided separately for any supported platform on the IBM Tivoli Access Manager Base CD, the IBM Tivoli Access Manager Shared Session Management CD, or the IBM Tivoli Access Manager Web Security CD.
IBM Tivoli Security Utilities

The IBM Tivoli Security Utilities provides common utilities that are required by Access Manager Runtime. This component is provided separately for any supported platform on the IBM Tivoli Access Manager Base CD, the IBM Tivoli Access Manager Shared Session Management CD, or the IBM Tivoli Access Manager Web Security CD.
Tivoli Access Manager Web security components

Tivoli Access Manager Web security includes the following installation components. These components are on the IBM Tivoli Access Manager Web Security CD for the supported platforms. Use these installation components to set up Web security systems listed in Tivoli Access Manager Web security systems on page 17.
Access Manager Attribute Retrieval Service

The Access Manager Attribute Retrieval Service is used in conjunction with the WebSEAL authorization decision information (ADI) feature. This service provides communication and format translation services between the WebSEAL entitlement service library and an external provider of authorization decision information. For more information, see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide.
Access Manager Plug-in for Edge Server

The Access Manager Plug-in for Edge Server adds authentication and authorization functionality to the IBM WebSphere Edge Server product. When implemented as an authorization service in your secure domain, this plug-in can provide single signon solutions to resources within that domain. For more information, see the IBM Tivoli Access Manager for e-business: Plug-in for Edge Server Administration Guide.
Access Manager Plug-in for Web Servers

Access Manager Plug-in for Web Servers manages the security of your Web-based resources by acting as the gateway between your clients and secure Web space. The plug-in implements the security policies that protect your Web object space. The plug-in can provide single sign-on solutions, support Web servers running as virtual hosts and incorporate Web application server resources into its security policy. For more information, see the IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide.
Access Manager Web Security Runtime

The Access Manager Web Security Runtime contains shared authentication library files used for Web Security systems, such as Access Manager WebSEAL and the Access Manager Plug-in for Web Servers.
Access Manager Web Security Application Development Kit

The Access Manager Web Security ADK contains development APIs for the Tivoli Access Manager cross-domain authentication service (CDAS), the Tivoli Access Manager cross-domain mapping framework (CDMF), and the Tivoli Access Manager password strength module.
Access Manager WebSEAL

Access Manager WebSEAL is a security manager for Web-based resources. WebSEAL is a high performance, multithreaded Web server that applies fine-grained security policy to the protected Web object space. WebSEAL can provide single sign-on solutions and incorporate backend Web application server resources into its security policy.
Tivoli Access Manager distributed sessions management components

The Tivoli Access Manager distributed sessions management systems includes the following installation components. These components are on the IBM Tivoli Access Manager Shared Session Management CD for the supported platforms. Use these installation components to set up distributed sessions management systems listed in Components and prerequisites provided with Tivoli Access Manager systems on page 15.
Access Manager Session Management Server

Access Manager Session Management Server (SMS) is an optional Tivoli Access Manager component that runs as an IBM WebSphere Application Server service. It manages user sessions across complex clusters of Tivoli Access Manager security servers, ensuring that session policy remains consistent across the participating servers. Using the session management server allows Access Manager WebSEAL and Access Manager Plug-in for Web Servers to share a unified view of all current sessions and permits an authorized user to monitor and administer user sessions. The session management server permits the sharing of session information and also makes available session statistics and provides secure and high-performance failover and single sign-on capabilities for clustered environments. User sessions can be administered and monitored using the Access Manager Session Management Command Line or the Integrated Solutions Console (ISC).
Access Manager Session Management Command Line

The session management server can be administered by the Access Manager Session Management Command Line component, using either the pdadmin command line utility located on the specified Tivoli Access Manager authorization server, or using the pdsmsadmin utility. Note: If you wish to use pdadmin to administer the session management server, you must first install and configure the authorization server before installing the command line interface.
Prerequisite products
Tivoli Access Manager includes the following prerequisite products. These products are required when setting up specific Tivoli Access Manager systems. For a list of required installation components necessary to set up a Tivoli Access Manager system, see Table 1 on page 15. Note that when using the installation wizards, the software prerequisites are automatically installed in the appropriate order.
IBM Global Security Kit (GSKit)

IBM Global Security Kit (GSKit) provides Secure Sockets Layer (SSL) data encryption between Tivoli Access Manager systems and supported registry servers. The GSKit package also installs the iKeyman key management utility (gsk7ikm), which enables you to create key databases, public-private key pairs, and certificate requests. You must install GSKit before installing most other Tivoli Access Manager components. GSKit is a prerequisite to the Access Manager Runtime component, which is required on all Tivoli Access Manager systems with the exception of the Access Manager Attribute Retrieval Service, Access Manager Runtime for Java, Tivoli Access Manager Session Management Server or Access Manager Web Portal Manager. For information about using this utility to enable SSL with a supported registry server, see Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 473 or refer to the IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide. Note: OpenSSL is included in GSKit and can be used for cryptographic operations (as per the OpenSSL license agreement). FIPS Enablement: Tivoli Access Manager 6.1 includes enablement for Federal Information Processing Standard 140-2 (FIPS 140-2). FIPS enablement provides Tivoli Access Manager with government-approved cryptography wherever cryptography is required. Tivoli Access Manager uses cryptography in the following areas: v Creation and replacement of internal, self-signed certificates. These certificates are used by Access Manager Runtime and Tivoli Access Manager security servers to authenticate with each other. v Runtime and servers utilize a secure communication protocol to communicate between each other. Federal Information Processing Standard 140-2 (FIPS 140-2) is a standard that describes U.S. Federal Government requirements that IT products should meet for Sensitive but Unclassified (SBU) use. The standard defines the security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems. There are four levels of security: from Level 1 (lowest) to Level 4 (highest). These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules can be deployed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference/ electromagnetic compatibility (EMI/EMC), and self-testing.
10
The specifics for FIPS 140-2 are described at this Web site: http://csrc.nist.gov/cryptval/140-2.htm Enablement of FIPS for Tivoli Access Manager is only meant to satisfy the requirement of the Tivoli Access Managers cyptographic operations from an application aspect. Tivoli Access Manager is not responsible for other products or prerequisite products enablement of FIPS. If in FIPS mode, Transport Layer Security version 1 (TLS v1) will be used as the secure communication protocol instead of SSL v3. To communicate with the Tivoli Access Manager policy server using a secure communication protocol, TLS is the required protocol. An attempt to communicate using SSL v3 (non-FIPS mode) when the policy server is configured in FIPS mode will result in a socket-closed exception.
IBM Java Runtime

The IBM Java Runtime provided with Tivoli Access Manager is required when installing and using language support packages and when using Tivoli Access Manager installation wizards. The Access Manager Runtime for Java component only supports the IBM Java Runtime.
IBM Tivoli Directory Server client

The client application is provided on the IBM Tivoli Access Manager Directory Server CD with IBM Tivoli Directory Server, the IBM Tivoli Access Manager Base CD, or the IBM Tivoli Access Manager Web Security CD for the supported AIX, HP-UX, HP-UX on Integrity, Linux, Solaris, Solaris on x86_64 and Windows platforms. You must install the IBM Tivoli Directory Server client on each system that runs Tivoli Access Manager, with the following exceptions: v The Tivoli Access Manager system is on a supported Windows system that is either the Active Directory domain or is joined to the Active Directory domain where the Tivoli Access Manager policy server is to be configured. v You are setting up the Access Manager Attribute Retrieval Service, Access Manager Runtime for Java, or Tivoli Access Manager Web Portal Manager. v You are using Lotus Domino as your registry server.

IBM Tivoli Directory Server is provided on the IBM Tivoli Access Manager Directory Server CD for the supported AIX, HP-UX, HP-UX on Integrity, Linux, Solaris, Solaris on x86_64 and Windows platforms. You can use this server as your Tivoli Access Manager registry server or use one of the registry servers listed in Supported registries on page 13. This Lightweight Directory Access Protocol (LDAP) directory runs as a standalone daemon. It is based on a client/server model that provides client access to an LDAP server. The IBM Tivoli Directory Server provides an easy way to maintain directory information in a central location for storage, updates, retrieval, and exchange.
IBM Tivoli Directory Server Web Administration Tool

IBM Tivoli Directory Server provides the Web Administration Tool, a separately installable graphical user interface that runs on an application server, such as the IBM WebSphere Application Server. Use the Web Administration Tool to administer IBM Tivoli Directory Servers either locally or remotely. You can install a single Web Administration console to manage multiple versions of IBM Tivoli Directory Server.
11
You can install the Web Administration Tool on a system with or without the IBM Tivoli Directory Server client or server. The Web Administration Tool can be used to administer LDAP servers of the following types: v IBM Tivoli Directory Server, Versions 6.1, 6.0 and 5.2 v IBM Directory Server, Version 5.1 v IBM z/OS LDAP Server Versions 1.6 or 1.8. To use the Web Administration Tool, you also need: v IBM WebSphere Application Server, Version 6.1 or later. The application server is required on the system where the Web Administration Tool is installed. The application server is not required for the client or the server. v One of the following Web browsers on the system from which you will use the Web Administration Tool. (This might or might not be the computer where the Web Administration Tool is installed): AIX platforms (64-bit/32-bit): Mozilla 1.6, 1.7, 1.7.5 or Firefox 1.0 HP-UX platforms: Mozilla 1.6, 1.7 or Firefox 1.5. HP-UX on Integrity platforms: Mozilla 1.6, 1.7 or Firefox 1.5. Linux on x86 platforms: Mozilla 1.6, 1.7 or Firefox 1.5. Linux on POWER and Linux on System z platforms: Firefox 1.5 Solaris: Mozilla 1.6, 1.7 or Firefox 2.0.0.3. Solaris on x86_64: Mozilla 1.7. Windows platforms: Internet Explorer 6.x, 7.x or Firefox 2.0.0.3. The Web browser is required on the system from which you will use the Web Administration Tool. (This might or might not be the system where the Web Administration Tool is installed). The Web Administration Tool is provided on the IBM Tivoli Access Manager Directory Server CD.
IBM WebSphere Application Server

IBM WebSphere Application Server is used for installation of Web Portal Manager, the Access Manager Attribute Retrieval Service, the IBM Tivoli Directory Server Web Administration Tool, and the distributed session management components. IBM WebSphere Application Server is on the IBM Tivoli Access Manager WebSphere Application Server set of CDs for the supported platforms. Note that IBM Tivoli Directory Server, on Windows systems only, includes the embedded version of IBM WebSphere Application Server for use with its Web Administration Tool. The same WebSphere Application Server can be used for Web Portal Manager and the IBM Tivoli Directory Server Web Administration Tool.
IBM Network Authentication Service Toolkit

The IBM Network Authentication Service Toolkit provides a Kerberos runtime that enables Windows desktop single signon on UNIX and Linux systems using WebSEAL or the Access Manager Plug-in for Web Servers. The IBM Network Authentication Service Toolkit is on the IBM Tivoli Access Manager Web Security CD for the supported Solaris and Linux platforms.
12
Supported registries
Tivoli Access Manager supports the following user registries, their supported operating systems, and any necessary prerequisite software. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database to ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. Also, ensure that all necessary operating system patches are installed.

Tivoli Access Manager supports the use of IBM Tivoli Directory Server as a registry. Keep in mind: v IBM Tivoli Directory Server is included with Tivoli Access Manager. v The IBM Tivoli Directory Server client is required when an LDAP user registry is selected during installation. v You can install the IBM Tivoli Directory Server, Version 6.1 client on the same system as a 6.0 or 5.2 version of IBM Tivoli Directory Server client. Attention: If you have an existing IBM Tivoli Directory Server that you want to use for Tivoli Access Manager, ensure that you upgrade the server to a supported level. For upgrade instructions, see the IBM Tivoli Access Manager for e-business: Upgrade Guide.
IBM z/OS LDAP Server

Tivoli Access Manager supports the use of IBM z/OS LDAP Server. For product information, see the z/OS Internet Library Web site at: http://www.ibm.com/servers/eserver/zseries/zos/bkserv/ Customers can also obtain softcopy publications on CD-ROM, z/OS: Collection, SK3T-4269.
IBM Lotus Domino Server

Tivoli Access Manager supports the use of Lotus Domino as a user registry on the Windows platform. Note that the Domino server runs on all supported Domino platforms. Attention: When Lotus Domino is used as the registry: v The IBM Tivoli Directory Server client is not required. v Tivoli Access Manager supports the Lotus Notes client. If you install a Lotus Notes client, it must be installed prior to configuring the Access Manager Runtime component.
Microsoft Active Directory

Tivoli Access Manager supports the use of Microsoft Active Directory as a user registry. Active Directory users can run Tivoli Access Manager on all Windows, UNIX or Linux platforms currently supported in the Tivoli Access Manager product. When selecting Active Directory as the user registry, the Tivoli Access Manager policy server is supported on Windows 2003 systems.
13
UNIX or Linux platforms make use of the IBM Tivoli Directory Server client to communicate with Active Directory. This LDAP client is also used on Windows platforms where the Active Directory domain of the local host is different from the Active Directory domain where the policy server is to be configured.
Microsoft Active Directory Application Mode (ADAM)

Tivoli Access Manager supports the use of Microsoft Active Directory Application Mode (ADAM) as a user registry. ADAM users can run Tivoli Access Manager with Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, Windows XP Professional Edition and Windows Vista. See Microsoft documentation for the complete list of supported systems. ADAM is available with the Microsoft Server 2003 R2 product and as a separate download, including example lab testing files.
Sun Java System Directory Server

Tivoli Access Manager supports the use of the Sun Java System Directory Server as a user registry. For installation information, consult the product documentation that came with your server. Sun Java System Directory Server product documentation is available at: http://docs.sun.com/app/docs/prod/entsys Attention: If you have an existing Sun ONE Directory Server that you want to use for Tivoli Access Manager, ensure that you upgrade the server to a supported level. For upgrade instructions, see the Sun documentation.
Novell eDirectory
Tivoli Access Manager supports the use of Novell eDirectory as a user registry. For installation information, consult the product documentation that came with your Novell eDirectory server. Novell eDirectory product documentation is available at: http://www.novell.com/documentation/a-z.html The latest patches to these products are available at: http://support.novell.com/patches.html Attention: If you have an existing Novell eDirectory server that you want to use for Tivoli Access Manager, ensure that you upgrade the server to a supported level.
14
Components and prerequisites provided with Tivoli Access Manager systems

This section lists types of Tivoli Access Manager systems that you can set up in a secure domain. Required installation components for each system type are provided with Tivoli Access Manager. It is recommended that you set up the policy server and registry server on separate systems. However, other system types do not have to be standalone systems. For example, you can install the Web Portal Manager interface on the same system as the policy server. This section includes the following: v Tivoli Access Manager base systems v Tivoli Access Manager Web security systems on page 17 v Tivoli Access Manager distributed sessions management systems on page 19
Tivoli Access Manager base systems

Table 1 lists the types of Tivoli Access Manager base systems that you can set up in your secure domain. Notes: 1. You must install the IBM Tivoli Directory Server client on each system that runs Tivoli Access Manager, with the following exceptions: v The Tivoli Access Manager system is on a supported Windows system that is either the Active Directory domain or is joined to the Active Directory domain where the Tivoli Access Manager policy server is to be configured. v You are setting up the Access Manager Attribute Retrieval Service, Access Manager Runtime for Java, or Tivoli Access Manager Web Portal Manager. v Domino is the registry server. 2. If using an installation wizard to install and configure a Tivoli Access Manager system, IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is also required.
Table 1. Required components for the Tivoli Access Manager base systems System type Authorization server Installation components (provided on the Tivoli Access Manager CD) v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server client (depending on the registry used) v Tivoli Security Utilities v Access Manager License v Access Manager Runtime v Access Manager Authorization Server Development (ADK) v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server client (depending on the registry used) v Tivoli Security Utilities v Access Manager License v Access Manager Runtime v Access Manager Application Development Kit
15
Table 1. Required components for the Tivoli Access Manager base systems (continued) System type IBM Tivoli Directory Server Installation components (provided on the Tivoli Access Manager CD) If you plan to install the IBM Tivoli Directory Server as your Tivoli Access Manager registry, the following components are required: v IBM Global Security Kit (GSKit) v DB2 Enterprise Server Edition v IBM Tivoli Directory Server client v IBM Tivoli Directory Server server Note: Refer to the IBM Tivoli Directory Server documentation for information about which versions of the server are supported. Runtime for Java v Access Manager License v Access Manager Runtime for Java Policy proxy server v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server client (depending on the registry used) v Tivoli Security Utilities v Access Manager License v Access Manager Runtime v Access Manager Policy Proxy Server Policy server v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server client (depending on the registry used) v Tivoli Security Utilities v Access Manager License v Access Manager Runtime v Access Manager Policy Server Runtime v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server client (depending on the registry used) v Tivoli Security Utilities v Access Manager License v Access Manager Runtime Web Portal Manager v IBM WebSphere Application Server (on separate CD) v Access Manager License v Access Manager Runtime for Java v Access Manager Web Portal Manager
16
Tivoli Access Manager Web security systems

Table 2 lists types of Web security systems that you can set up in your secure domain. Installation components for these systems are provided on the IBM Tivoli Access Manager Web Security CD for your particular platform. Notes: 1. You must install the IBM Tivoli Directory Server client on each system that runs Tivoli Access Manager, with the following exceptions: v The Tivoli Access Manager system is on a supported Windows system that is either the Active Directory domain or is joined to the Active Directory domain where the Tivoli Access Manager policy server is to be configured. v You are setting up Access Manager Attribute Retrieval Service, Access Manager Runtime for Java, or Tivoli Access Manager Web Portal Manager. v Domino is the registry server. 2. If using an installation wizard to install and configure a Tivoli Access Manager system, IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is also required.
Table 2. Required components for the Tivoli Access Manager Web security systems System type Attribute Retrieval Service Installation components (provided on the Tivoli Access Manager CD) v IBM WebSphere Application Server (on separate CD) v Access Manager Attribute Retrieval Service WebSEAL v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server client (depending on the registry used) v Tivoli Security Utilities v Access Manager License v Access Manager Runtime v Access Manager Web Security Runtime v Access Manager WebSEAL Web Security Application Development Kit (ADK) system v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server client (depending on the registry used) v Tivoli Security Utilities v Access Manager License v Access Manager Runtime v Access Manager Application Development Kit v Access Manager Web Security Runtime v Access Manager Web Security Application Development Kit
17
Table 2. Required components for the Tivoli Access Manager Web security systems (continued) System type Plug-in for Apache Web Server Installation components (provided on the Tivoli Access Manager CD) v Apache Web Server (not provided on the Tivoli Access Manager CDs) v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server client (depending on the registry used) v Tivoli Security Utilities v Access Manager License v Access Manager Runtime v Access Manager Web Security Runtime v Access Manager Plug-in for Web Servers v Access Manager Plug-in for Apache Web Server Plug-in for Edge Server v IBM WebSphere Edge Server (not provided on the Tivoli Access Manager CDs) v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server client (depending on the registry used) v Tivoli Security Utilities v Access Manager License v Access Manager Runtime v Access Manager Web Security Runtime v Access Manager Plug-in for Edge Server Plug-in for IBM HTTP Server v IBM HTTP Server (not provided on the Tivoli Access Manager CDs) v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server client (depending on the registry used) v Tivoli Security Utilities v Access Manager License v Access Manager Runtime v Access Manager Web Security Runtime v Access Manager Plug-in for Web Servers v Access Manager Plug-in for IBM HTTP Server Plug-in for Internet Information Services v Internet Information Services (not provided on the Tivoli Access Manager CDs) v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server client (depending on the registry used) v Tivoli Security Utilities v Access Manager License v Access Manager Runtime v Access Manager Web Security Runtime v Access Manager Plug-in for Web Servers v Access Manager Plug-in for Internet Information Services
18
Table 2. Required components for the Tivoli Access Manager Web security systems (continued) System type Plug-in for Sun Java System Web Server Installation components (provided on the Tivoli Access Manager CD) v Sun Java System Web Server (not provided on the Tivoli Access Manager CDs) v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server client (depending on the registry used) v Tivoli Security Utilities v Access Manager License v Access Manager Runtime v Access Manager Web Security Runtime v Access Manager Plug-in for Web Servers v Access Manager Plug-in for Sun Java System Web Server
Tivoli Access Manager distributed sessions management systems

Table 3 lists types of session management systems that you can set up in your secure domain. Installation components for these systems are provided on the IBM Tivoli Access Manager Shared Session Management CD for your particular platform. Notes: 1. You must install the IBM Tivoli Directory Server client on each system that runs Tivoli Access Manager, with the following exceptions: v The Tivoli Access Manager system is on a supported Windows system that is either the Active Directory domain or is joined to the Active Directory domain where the Tivoli Access Manager policy server is to be configured. v You are setting up Access Manager Attribute Retrieval Service, Access Manager Runtime for Java, or Tivoli Access Manager Web Portal Manager. v Domino is the registry server. 2. If using an installation wizard to install and configure a Tivoli Access Manager system, IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is also required.
Table 3. Required components for the Tivoli Access Manager session management systems System type Session Management Server Installation components (provided on the Tivoli Access Manager CDs) v IBM WebSphere Application Server (on separate CD) v Access Manager Session Management Server
19
Table 3. Required components for the Tivoli Access Manager session management systems (continued) System type Session Management Command Line Installation components (provided on the Tivoli Access Manager CDs) v IBM Global Security Kit (GSKit) v Access Manager Session Management Command Line v Tivoli Security Utilities If you want to use the Tivoli Access Manager pdadmin utility to administer sessions, the following components are also required: v Access Manager License v Access Manager Runtime v Access Manager Authorization Server v Access Manager Session Management Command Line v IBM Tivoli Directory Server client (depending on the registry used)
20
Installation process
To create a Tivoli Access Manager management domain, follow these basic steps: 1. Plan your Tivoli Access Manager deployment. Ensure that you understand the business security requirements for which Tivoli Access Manager is being deployed. 2. Decide which combination of Tivoli Access Manager systems that you want to install. A supported registry and the policy server system are required to set up the initial management domain. 3. Ensure that your Tivoli Access Manager systems meet all software and hardware requirements listed in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 4. Set up a registry for use with Tivoli Access Manager. For instructions, see Chapter 3, Setting up the registry server, on page 53. 5. Install and configure the Tivoli Access Manager policy server system. For instructions, see Chapter 4, Setting up a policy server, on page 137. 6. On AIX systems only, if you plan to use a standby policy server, install and configure the standby policy server. For instructions, see Chapter 24, AIX: Setting up a standby policy server, on page 511. 7. Install other types of Tivoli Access Manager base systems (as needed). For example, you can install one or more of the following systems:
Access Manager Authorization Server Page 153
Access Manager Application Development Page 163 Kit (ADK) Access Manager Runtime for Java Access Manager Policy Proxy Server Access Manager Runtime Access Manager Web Portal Manager Page 173 Page 181 Page 191 Page 201
8. Install Tivoli Access Manager Web security systems (as needed). For example, you can install one or more of the following systems:
Access Manager Attribute Retrieval Service Access Manager Plugin for Edge Server Access Manager Plugin for Web Servers Access Manager Web Security Application Development Kit (ADK) Access Manager WebSEAL Page 219 Page 225 Page 239 Page 259 Page 267
Note: If you have already installed and configured a Tivoli Access Manager component and need to reinstall it, you must first unconfigure and remove it. 9. Install Tivoli Access Manager distributed sessions management systems (as needed). For example, you can install one or more of the following systems:
Access Manager Session Management Server Access Manager Session Management Command Line Page 219 Page 225
21
Note: If you have already installed and configured a Tivoli Access Manager component and need to reinstall it, you must first unconfigure and remove it. 10. Use a certificate from a Certificate Authority (CA) to enable SSL communication between your supported registry server and IBM Tivoli Directory Server clients. See Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 473 for details.
22
Installation methods
You can install and configure Tivoli Access Manager software in the following ways: v Installation wizards v Native installation utilities on page 26 v Software Distribution installation method on page 26
Installation wizards
You can run a single program to set up one of a variety of Tivoli Access Manager systems. Software prerequisites and product patches are automatically installed in the appropriate order. Operating system patches are not installed automatically. Use installation wizards to simplify installation and configuration of Tivoli Access Manager systems. The Tivoli Access Manager components support installation wizards running in graphical mode, text-based console mode, and response file (silent) mode. This flexibility of installation methods allows you to create multiple solutions for deploying your software. Choose one of the following installation methods: v Graphical mode v Text-based (non-graphical) console mode v Response file (silent) mode Notes: 1. On operating systems such as Linux, Tivoli Access Manager does not support installation in a nondefault directory. So do not use --relocate as an rpm option to specify a nondefault directory during installation. Otherwise, Tivoli Access Manager does not work after installation. 2. For installations on Linux, ensure that the path to which you are mounting does not contain the "disk" string. Otherwise the license agreement does not display. To remove installations, see Chapter 19, Uninstalling components, on page 347.
Installing in graphical mode

The base, Web security, and session management installation wizards that are available for the indicated system types are listed in Table 4, Table 5 on page 24, and Table 6 on page 24. For a list of installed components for each of these system types, see Components and prerequisites provided with Tivoli Access Manager systems on page 15. Installation wizards for Tivoli Access Manager base systems are located in the root directory on the IBM Tivoli Access Manager Base CD, except for the install_ldap_server installation wizard, which is located on the IBM Tivoli Access Manager Directory Server CD.
Table 4. Installation wizards for base systems Installation wizard install_amacld Type of base system Access Manager Authorization Server
23
Table 4. Installation wizards for base systems (continued) Installation wizard install_amadk install_amjrte install_ammgr install_amproxy install_amrte install_amwpm Type of base system Access Manager Application Development Kit (ADK) Access Manager Runtime for Java Access Manager Policy Server Access Manager Policy Proxy Server Access Manager Runtime Access Manager Web Portal Manager This component also requires the IBM Tivoli Access Manager WebSphere Application Server set of CDs provided with Tivoli Access Manager. install_ldap_server IBM Tivoli Directory server Note: This installation wizard is located on the IBM Tivoli Access Manager Directory Server CD.
Installation wizards for Tivoli Access Manager Web security systems are located in the root directory on the IBM Tivoli Access Manager Web Security CD.
Table 5. Installation wizards for Web security systems Installation wizard install_amweb install_amwebadk install_amwebars Type of Web security system Access Manager WebSEAL Access Manager Web Security Application Development Kit (ADK) Access Manager Attribute Retrieval Service This component also requires the IBM Tivoli Access Manager WebSphere Application Server set of CDs provided with Tivoli Access Manager. install_amwpi Access Manager Plug-in for Web Servers for: v Apache Web Server v IBM HTTP Server v Internet Information Services v Sun Java System Web Server
Installation wizards for Tivoli Access Manager distributed sessions management systems are located in the root directory on the IBM Tivoli Access Manager Shared Session Management CD.
Table 6. Installation wizards for distributed sessions management systems Installation wizard install_amsms Type of distributed sessions management system Access Manager Session Management Server This component also requires the IBM Tivoli Access Manager WebSphere Application Server set of CDs provided with Tivoli Access Manager. install_amsmscli Access Manager Session Management Command Line
24
Installing in console mode

Occasionally, there are times when there is no graphics display device available or you want to run the installer without the graphical user interface when installing the Tivoli Access Manager packages. Tivoli Access Manager supports installing in an ASCII text-based mode referred to as console mode. Console mode uses an ASCII question and answer session, which asks you for the information interactively. For example, the non-graphical mode can be used for server-side deployments when no graphical user interface is present, or for running the installation from a remote host. Console mode is an interactive installation without the use of a graphical user interface. Note: Several Tivoli Access Manager components require information from two separate CDs during the installation process. These components include: v Tivoli Access Manager Web Portal Manager (all supported platforms) v Tivoli Access Manager Attribute Retrieval Service (all supported platforms) v Tivoli Access Manager Session Management Server (all supported platforms) v IBM Tivoli Directory Server To perform a console mode installation of one of these components, you must first copy the contents of the first CD to a local drive and then launch the installation program from that local copy. Later, during the installation process, you are prompted to mount the second CD. To launch the installation wizard in console mode, enter:
install_component_name -console
where component_name is the name of the Tivoli Access Manager installation wizard. For example:
install_amrte -console
After obtaining user input, the installation wizard performs some verification before displaying the summary screen. On some older systems, this might take a minute or more. You will not get any feedback while this verification occurs.
Installing in response file mode

A response file streamlines installation and configuration of Tivoli Access Manager components. The installation process reads the information from the response file instead of prompting you to fill in the blanks. Each Tivoli Access Manager component can be installed by using a response file. The installation wizards use a template file, provided by Tivoli Access Manager, to create a file known as an options file, which contains all possible responses. Response files, created using these template files, are then used to perform the silent mode installations. Response file templates are located in the /rspfile directory on the IBM Tivoli Access Manager Base CD, the IBM Tivoli Access Manager Web Security CD, the IBM Tivoli Access Manager Shared Session Management CD, the IBM Tivoli Access Manager Directory Server CD and the IBM Tivoli Access Manager Language Support CD. Edit the values in an options file template and then run the script as follows:
install_amrte -options response_file
25
where response_file is the name of the options file. For example:

install_amrte -options d:\temp\install_amrte.options
You can also run the script in optional silent mode:

install_amrte -options response_file silent
where response_file is the name of the options file. For example:

install_amrte -options d:\temp\install_amrte.options -silent
For more information, see Chapter 27, Using response files, on page 607 for instructions for how to use response files to install multiple products on multiple machines at the same time.
Native installation utilities

You can use platform-specific utilities to install Tivoli Access Manager components. Unlike automated installation wizards, you must manually install each component and its prerequisite software in the appropriate order. The platform specific utilities used are: AIX HP-UX swinstall Linux rpm Solaris pkgadd Note: If you are installing on Solaris 10 and above, using the -G option is recommended. The -G option ensures that packages are added in the current zone only. When the -G option is used in the global zone, the package is added to the global zone only and is not propagated to any existing or yet-to-be-created non-global zone. When used in a non-global zone, the package(s) are added to the non-global zone only. Windows setup.exe After installing, use the appropriate configuration commands. For example, if the Access Manager Runtime component is installed on your system, you can use the pdconfig utility to configure Tivoli Access Manager components and, if the Access Manager Runtime component is not installed, you can use component-specific utilities, such as pdjrtecfg to configure the Access Manager Runtime for Java component or amwpmcfg to configure the Access Manager Web Portal Manager component. Note: For more information about these utilities, see Chapter 26, Tivoli Access Manager utilities, on page 547. installp
Software Distribution installation method

IBM Tivoli Configuration Manager is required for this type of installation. IBM Tivoli Configuration Manager controls software distribution and asset management inventory in a multi-platform environment. It is designed for configuration, distribution, change, version, and asset management in a distributed computing environment.
26
Using IBM Tivoli Configuration Manager, some of the tasks you can do include: v Package software elements ready for distribution and installation. v Use the integrated inventory database to determine targets for your software distribution. v Manage your enterprise environment across firewalls without impacting your enterprise security v Automatically distribute and manage security patches and software updates in a Tivoli environment. If you choose this installation method, you should be familiar with using the Software Distribution installation method of IBM Tivoli Configuration Manager. You can view IBM Tivoli Configuration Manager topics at the Information Center Web site: http://publib.boulder.ibm.com/infocenter/tiv3help/index.jsp ?topic=/com.ibm.tivoli.itcm.doc/cmmst19.htm To use the Software Distribution installation method, you will perform these general steps: 1. Edit and import the software package definition files 2. Generate a software package block file 3. Deploy the software package blocks See Chapter 28, Using software package definition files, on page 621 for an example software package definition file.
Edit and import the software package definition files

Tivoli Access Manager produces a software package definition (SPD) file for some Tivoli Access Manager components. The definition files can then be easily created into install images. The SPD files provided with Tivoli Access Manager contain a file stanza for each file needed by the installation wizard from the CD, a file stanza for each file that you will provide (such as a certificate to configure the environment), and a file stanza for the options file. To add your own files to the Software Package Block (SPB), edit the software package definition file provided with Tivoli Access Manager. For example, if you wanted to edit the policy server template file for the Windows platform, you would complete these steps: 1. Provide the name and location of the options files that you want to provide by searching for and changing these lines:
### Drive letter of location of options file (leave blank if not Windows) options_drive = ### location of options file options_filename = /install/config/windows/install_ammgr.options
2. Provide the name and location of the source installation directory by searching for and changing these lines:
### Drive letter if source server is Windows (leave blank if not Windows) install_srcdrive = ### location of install images install_srcdir = /install/tam610.windows
27
3. Provide the source host name for the source by searching for and removing the pound sign (#) to uncomment this line:
# source_host_name = your.source.host
4. Provide the fully qualified host name for the location of the SPD log file by uncommenting and providing configuration information for this line:
# log_host_name = your.log.host
5.
Provide the fully qualified path to the log file for the policy server on Windows:
log_path = C:\Program Files\Tivoli\bin\swdis\work\install_ammgr_windows.log
When completed, the edited lines will look similar to the following lines:
options_drive = C: options_filename = /install/config/windows/install_ammgr.options install_srcdrive = E: install_srcdir = /install/tam600.windows source_host_name = mysourcehost.tivoli.com log_host_name = myloghost.tivoli.com log_path = C:\Program Files\Tivoli\bin\swdis\work\install_ammgr_windows.log
where mysourcehost.tivoli.com is your source host name and myloghost.tivoli.com is your log host name. After editing these files, import the modified software package definition file into IBM Tivoli Configuration Manager.
Generate a software package block file

A software package block (.spb) bundles all the resources necessary to run the actions that are contained in the software package into a standard zipped format. At distribution time, the resources do not need to be collected from the source host; they are already contained in the software package block. However, the software package block must reside on the source host. When the software package block is distributed to an endpoint, it is not stored on the endpoint. The software package block is unzipped in the target directory. By unpacking the zipped file immediately, there is no need for additional disk space on the endpoint for the .spb file. After importing the software package definition file, you will need to compile the imported software package definition file information to bundle all of the files into software package blocks and generate the SPB file. 1. Place the cursor over the icon representing the software package definition information and right-click to click Convert. A window displays requesting the final location of the software package block file. 2. Enter an appropriate name for the SPB file. Click Convert & Close. The conversion process takes a few minutes because it has to bundle the installation wizard and native installation binaries into one file. When completed, the box icon appears sealed. The SPBs can be installed by distributing them to the endpoints.
Deploy the software package blocks

After the software package definition file has been created and converted to a software package block, the software package block is now ready to be distributed to endpoints.
28
1. Ensure that the timeout on your endpoints controlling gateway is set to a value high enough to account for the time it will take to transfer the installation images. If problems occur while distributing to an endpoint, consult the LCFD log that is located on that endpoint. 2. Use IBM Tivoli Configuration Manager to deploy the SPB to multiple systems. When the SPB file is deployed, all of these files will be downloaded to the target system and then the script file will be launched in silent mode with the provided options file. Note: If different configuration information is needed, you must produce different SPB files for each configuration. 3. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed on the endpoint. For instructions, see Installing IBM Java Runtime on page 318. 4. To install the software, right click and click Install. Select the appropriate endpoints and set the distribution parameters, as needed. A successful distribution will install the binary files, run the installation wizard in silent mode, install, and then configure the Access Manager system.
29
Groups and administrator identities on UNIX and Linux systems

Table 7 lists the user IDs and groups that are used by Tivoli Access Manager and its prerequisite software during installation on UNIX and Linux systems. These user IDs and groups are created automatically by the installation process if they do not already exist. If you wish to assign specific group IDs (GID) or user IDs (UID) for these groups and users, you can create them before installation.
Table 7. Users and groups required by Tivoli Access Manager ID ivmgr Type group Description Access Manager Runtime installs files and directories that are owned by the group ivmgr. The installation process creates the group using the next available GID. To choose your own GID for Access Manager Runtime: Linux, Solaris, and HP-UX: groupadd g gid ivmgr AIX: mkgroup id=gid ivmgr ivmgr user Access Manager installs files and directories that are owned by the user ivmgr. The installation process creates the user using the next available UID. To choose your own UID for Access Manager Runtime: HP-UX: useradd u uid g ivmgr -s /usr/bin/false d /opt/PolicyDirector c Access Manager User ivmgr Linux and Solaris: useradd u uid g ivmgr -s /bin/false d /opt/PolicyDirector c Access Manager User ivmgr AIX: mkuser id=uid groups=ivmgr gecos=Access Manager User home=/opt/PolicyDirector ivmgr Group membership ivmgr, root
30
Table 7. Users and groups required by Tivoli Access Manager (continued) ID tivoli Type group Description Access Manager Runtime also creates a group ID named tivoli for use with the Tivoli Common Directory scheme. Note that other Tivoli products can create the group ID tivoli and that its creation is not unique to Access Manager Runtime. The installation process creates the group ID using the next available GID. To choose your own GID for Access Manager Runtime to be used with Tivoli Common Directory: Linux, Solaris, and HP-UX: groupadd g gid tivoli AIX: mkgroup id=gid tivoli tivoli user Access Manager Runtime also creates a user ID named tivoli for use with the Tivoli Common Directory scheme. Note that other Tivoli products can create the user ID tivoli and that its creation is not unique to Access Manager Runtime. The installation process creates the user ID tivoli using the next available UID. To choose your own UID for Access Manager Runtime to be used with Tivoli Common Directory: Linux, Solaris, and HP-UX: useradd u uid g tivoli c Owner of Tivoli Common Files tivoli usermod G tivoli ivmgr AIX: mkuser id=uid groups=tivoli gecos=Owner of Tivoli Common Files tivoli chuser pgrp=staff idsldap group groups=ivmgr,tivoli ivmgr The IBM Tivoli Directory Server installs files and directories owned by group idsldap. The installation process creates the group using the next available GID. To choose your own GID: Linux, Solaris, and HP-UX: groupadd g gid idsldap AIX: mkgroup id=gid idsldap tivoli Group membership tivoli, ivmgr, root
31
Table 7. Users and groups required by Tivoli Access Manager (continued) ID idsldap Type user Description The IBM Tivoli Directory Server installs files and directories owned by user idsldap. The installation process creates the user using the next available UID. To choose your own UID: Linux, Solaris, and HP-UX: useradd u uid g idsldap d /home/idsldap s /bin/ksh idsldap AIX: mkuser id=uid pgrp=staff groups=idsldap sys group The installation process creates the group for IBM Global Security Kit (GSKit). root Group membership idsldap
The IBM Tivoli Directory Server installation also requests a local user ID to own the directory server instance and DB2 instance.
32
Default port numbers

Table 8. Default port numbers used during Tivoli Access Manager installation Installation components Access Manager Policy Server Access Access Access Access Manager Manager Manager Manager Policy Server Runtime Runtime for Java Web Portal Manager Fields to be completed Policy server port Policy server SSL port Default port 7134 7135
Access Manager Authorization Server Access Manager Authorization Server Access Manager Policy Proxy Server Access Manager Policy Proxy Server Access Manager WebSEAL Access Manager Session Management Server LDAP servers LDAP servers Access Manager WebSEAL Access Manager WebSEAL
Authorization request port Administration request port Policy request port Authorization request port WebSEAL listening port IBM WebSphere Application Server port Non-SSL port SSL port HTTP port HTTPS port
7136 7137 7138 7139 7234 8879 389 636 80 443
33
34
Chapter 2. Internationalization
This chapter describes the internationalization features for a Tivoli Access Manager secure domain. This section contains the following topics: v Language support overview on page 36 v Installing language support packages for Tivoli Access Manager on page 37 v Installing language support packages for IBM Tivoli Directory Server on page 39 v Uninstalling Tivoli Access Manager language support packages on page 44 v Locale environment variables on page 46 v Message catalogs on page 49 v Text encoding (code set) support on page 50
Attention Ensure that you review the internationalization section in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database for any language-specific limitations or restrictions.
35
Language support overview

Tivoli Access Manager software is translated into the following languages: v Arabic v Brazilian Portuguese v Czech v v v v v v v Chinese (Simplified) Chinese (Traditional) French German Hebrew Hungarian Italian
v Japanese v Korean v Polish v Spanish v Russian Notes: 1. The installation wizard uses your language of choice, without installing the language pack. 2. The installation wizards and the Windows native installation utility do not support the Arabic or Hebrew languages. 3. Only the panels in Web Portal Manager support the Hebrew language; messages and online help appear in English. The translations for these languages are provided as language support packages on the IBM Tivoli Access Manager Language Support CD for each product. To obtain language support for Tivoli Access Manager, you must install the language support package for that product. Each language is a separately installable product installation image. v If you use installation wizards to install Tivoli Access Manager, you must install the language package before installing Tivoli Access Manager so that you can view configuration messages in your native language. v If you use native installation utilities to install Tivoli Access Manager, you must install the language package after installing Tivoli Access Manager components but before configuring them. If you do not install the language support package, the associated product displays all text in English. v If you are installing Tivoli Access Manager Session Management Server or Session Management Command Line on Windows, you must install the language pack after installing the Session Management component. This is required for both the installation wizard and the native install. If language support for a product is installed and you upgrade the product, you must also install the corresponding language support product, if one exists. Refer to the upgrade documentation for the specific product to determine if language support is required. If you do not install the language support after upgrading, the associated product might display some fields and messages in English.
36
Installing language support packages for Tivoli Access Manager

To install language support packages for Tivoli Access Manager, follow these steps: 1. Log on as root or as an Administrative user. 2. Insert or mount the IBM Tivoli Access Manager Language Support CD and change to the root directory where the CD is located. Note: On HP-UX systems, mount the CD using the mount command. For example, enter the following:
mount -F cdfs -o rr /dev/dsk/c0t0d0 /cd-rom
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. 3. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed for your particular operating system. For instructions, see one of the following: v On AIX systems, see page 318. v On HP-UX systems, see page 319. v On Linux systems, see page 320. v On Solaris systems, see page 321. v On Windows systems, see page 321. 4. Depending on the Tivoli Access Manager component that you want to install, run one or more of the following setup scripts. v To install using a wizard, select the scripts for the desired components. Notes: a. Scripts are used for UNIX or Linux systems; batch files (.bat extension) are used for Windows systems. b. If you issue a script without specifying the jre_path, you must ensure that the Java executable is part of the PATH statement. Otherwise, issue the script specifying the jre_path as follows:
language_package jre_path
For example, to install the language package for the Access Manager Runtime, enter the following:
install_pdrte_lp /usr/bin
where /usr/bin is the path to the JRE. The following language packages are available: install_amsms_lp Installs language packages for Access Manager Session Management Server, Access Manager Session Management Command Line. Installs language packages for Common Auditing and Reporting Service. Installs language packages for Access Manager Plug-in for Web Servers. Installs language packages for Access Manager Plug-in for Edge Server. Installs language packages for Access Manager Runtime.
install_cars_lp install_pdwbpi_lp install_pdwsl_lp install_pdrte_lp
37
install_pdjrte_lp install_pdwbrt_lp install_pdweb_lp
Installs language packages for Access Manager Runtime for Java. Installs language packages for Access Manager Web Security Runtime.
Installs language packages for Access Manager WebSEAL. v To install in console mode, ensure that the IBM Java Runtime 1.5.0 SR5 is available in the command execution path (or prefix the command with the JRE directory) and run the following command:
java -jar language_package.jar -console
where language_package.jar is the name of the language package to install: carslp.jar pdjrte_lp_setup.jar pdrte_lp_setup.jar pdweb_lp_setup.jar pdwbpi_lp_setup.jar pdwebrte_lp_setup.jar pdwsl_lp_setup.jar smslp.jar Installs language packages for Common Auditing and Reporting Service. Installs language packages for Access Manager Runtime for Java. Installs language packages for Access Manager Runtime. Installs language packages for Access Manager WebSEAL. Installs language packages for Access Manager Plug-in for Web Servers. Installs language packages for Access Manager Web Security Runtime. Installs language packages for Access Manager Plug-in for Edge Server.
Installs language packages for Access Manager Session Management Server and Access Manager Session Management Command Line. 5. Click Next to begin installation. The Software License Agreement window is displayed. 6. To accept the license agreement, select the I accept check box to accept the terms and then click Next. A dialog showing a list of the languages is displayed. 7. Select the language packages that you want to install and click Next. A dialog showing the location and features of the languages that you selected is displayed. To accept the languages selected, click Next. 8. The installation wizard validates that sufficient disk space is available. To install the languages that you selected, click Next. 9. After installation for the Tivoli Access Manager language pack has completed successfully, click Finish to close the wizard and restart your system.
38
Installing language support packages for IBM Tivoli Directory Server

In addition to installing language packages for Tivoli Access Manager software, you must install language packages for the user registry, such as the IBM Tivoli Directory Server. These language packages are provided on the IBM Tivoli Access Manager Language Support CD for the supported platforms. Note: The IBM Tivoli Directory Server requires that at least one language pack be installed on all UNIX-based systems for the IBM Tivoli Directory Server client and administrative utilities to operate correctly. To determine if a language pack is installed, see LANG variable on UNIX or Linux systems on page 47. After installing the Tivoli Directory Server language packages, you must install the IBM DB2 language packs.
AIX: Installing Tivoli Directory Server language packages

To install the Tivoli Directory Server language packages on AIX systems, follow these steps: 1. Log in as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert the IBM Tivoli Access Manager Language Support for AIX CD and mount it. 4. Install the following packages:
installp acgYXd cd_mount_point/usr/sys/inst.images packages
where: cd_mount_point/usr/sys/inst.images Specifies the directory where the install packages are located. packages Specifies the package name or list of package names that you want to install. For example: idsldap.msg61.lang Specifies IBM Tivoli Directory Server messages package. where lang is the language file abbreviation. The available language values include:
cs_CZ de_DE en_US es_ES fr_FR hu_HU it_IT ja_JP ko_KO pl_PL Czech German English Spanish French Hungarian Italian Japanese Korean Polish
39
pt_BR ru_RU sk_SK zh_CN zh_TW
Portuguese (Brazil) Russian Slovak Simplified Chinese Traditional Chinese
For example, to install IBM Tivoli Directory Server messages in the Italian language, you would enter the following:
installp -acgYXd /usr/sys/inst.images idsldap.msg61.it_IT
HP-UX: Installing Tivoli Directory Server language packages

To install the Tivoli Directory Server language packages on HP-UX or HP-UX on Integrity, follow these steps: 1. Log in as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert the CD for your platform: v IBM Tivoli Access Manager Language Support for HP-UX v IBM Tivoli Access Manager Language Support for HP-UX on Integrity 4. Mount the CD using the HP-UX mount command. For example, enter the following command:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. 5. Install the following packages: v For HP-UX:
swinstall -s /cd-rom/hp package
v For HP-UX on Integrity:

swinstall -s /cd-rom/hp_ia64 package
where: cd-rom/hp or cd-rom/hp_ia64 Specifies the directory where the packages are located. package Specifies the package name or list of package names that you want to install. For example: idsldap-msg61lang Specifies IBM Tivoli Directory Server messages package. where lang is the language file abbreviation. The available language values include:
de en es fr it German English Spanish French Italian
40
ja ko zh_CN zh_TW
Japanese Korean Simplified Chinese Traditional Chinese
For example, to install IBM Tivoli Directory Server messages in the Korean language, you would enter the following:
swinstall -s /cd-rom/hp idsldap-msg61ko
or
swinstall -s /cd-rom/hp_ia64 idsldap-msg61ko
Linux: Installing Tivoli Directory Server language packages

Note to Linux on System z users: You must first obtain access to the Linux rpm files which are located in the /CD_mount_point/linux_s390 directory on the IBM Tivoli Access Manager Base for Linux on System z CD. To install the Tivoli Directory Server language packages for Linux systems, follow these steps: 1. Log in as root. 2. Insert the IBM Tivoli Access Manager Language Support for Linux on x86, IBM Tivoli Access Manager Language Support for Linux on System z or IBM Tivoli Access Manager Language Support for Linux on POWER CD and mount it. 3. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86, linux_ppc for POWER, or linux_s390 for System z. 4. Install the following packages:
rpm -ihv packages
where packages are as follows: Linux on x86: idsldap-msg61-lang-6.1.0-0.noarch.rpm Linux on POWER: idsldap.msg61.lang-6.1.0-0.noarch.rpm Linux on System z: idsldap-msg61-lang-6.1.0-0.noarch.rpm and where lang is the language file abbreviation (for example, en). The available language values include:
de en es fr it ja ko pt_BR zh_CN zh_TW German English Spanish French Italian Japanese Korean Portuguese (Brazil) Simplified Chinese Traditional Chinese
41
For example, to install IBM Directory Server messages in the German language on a Linux on POWER system:
rpm -ihv idsldap.msg61.de-6.1.0-0.noarch.rpm
Note: The English language packages have a version number of 6.1.0-6 and are platform-specific. The English language packages for Linux are: Linux on x86 idsldap-msg61-en-6.1.0-6.i386.rpm Linux on POWER idsldap-msg61-en-6.1.0-6.ppc.rpm Linux on System z idsldap-msg61-en-6.1.0-6.s390.rpm
Solaris: Installing Tivoli Directory Server language packages

To install the Tivoli Directory Server language packages on Solaris or Solaris on x86_64, follow these steps: Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. 1. Insert the CD for your platform: v IBM Tivoli Access Manager Language Support for Solaris v IBM Tivoli Access Manager Language Support for Solaris on x86_64 2. Install the following package: v For Solaris:
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault IDSlxx61
v For Solaris on x86_64:

pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault IDSlxx61
where: /cdrom/cdrom0/solaris or /cdrom/cdrom0/solaris_x86 Specifies the location of the package. /cdrom/cdrom0/solaris/pddefault or /cdrom/cdrom0/solaris_x86/pddefault Specifies the installation administration script. xx Specifies the 2letter language file abbreviation. The available language values include:
br cn de en es fr it ja ko Portuguese (Brazil) Simplified Chinese German English Spanish French Italian Japanese Korean
42
tw
Traditional Chinese
For example, to install IBM Tivoli Directory messages in the Japanese language on a Solaris system, enter the following command:
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault IDSlja61
Windows: Installing Tivoli Directory Server language packages

To install the Tivoli Directory Server language packages on Windows, follow these steps: 1. Log on as a user with Administrator group privileges. 2. Insert the IBM Tivoli Access Manager Language Support for Windows CD. 3. Go to the drive for your CD-ROM, and then change to the following directory of the CD: windows/tds 4. Type the following command to install the package:
idslp_setup_win32.exe
43
Uninstalling Tivoli Access Manager language support packages

To uninstall language support packages, follow these steps: 1. Change to one of the following directories: v On UNIX or Linux systems:
/opt/location
v On Windows systems:
C:\Program Files\location
where location is as follows: CARSLP/lp_uninst PDBLP/lp_uninst Specifies the location of the language packages for Common Auditing and Reporting Service. Specifies the location of the language packages for the Tivoli Access Manager base components, except for Access Manager Runtime for Java and Web Portal Manager. Specifies the location of the language packages for Access Manager Runtime for Java Specifies the location of the language packages for Access Manager Plug-in for Web Servers. Specifies the location of the language packages for Access Manager for Plug-in for Edge Server. Specifies the location of the language packages for Access Manager WebSEAL. Specifies the location of the language packages for Access Manager Web Security Runtime. Specifies the location of the language packages for Access Manager Session Management Server and Access Manager Session Management Command Line.
PDJrtLP/lp_uninst PDWpiLP/lp_uninst PDWslLP/lp_uninst PDWebLP/lp_uninst AMWebRTELP/lp_uninst SMSLP/lp_uninst
2. To uninstall the language support packages, enter one of the following: v On UNIX or Linux systems:
jre_path/java -jar package
jre_path\java -jar package
where jre_path is the path where the Java executable is located and package is one of the following: Note: If the Java executable is in the path, you do not have to specify jre_path. cars_lp_uninstall.jar pdrte_lp_uninstall.jar pdjrte_lp_uninstall.jar pdsms_lp_uninstall.jar Specifies the location of the language packages for Common Auditing and Reporting Service. Specifies the location of the language packages for Access Manager Runtime. Specifies the language package for Access Manager Runtime for Java. Specifies the language package for Access
44
Manager Session Management Server and Access Manager Session Management Command Line. pdwbpi_lp_uninstall.jar pdweb_lp_uninstall.jar pdwebrte_lp_uninstall.jar Specifies the language package for Plug-in for Web Servers. Specifies the language package for Access Manager WebSEAL. Specifies the language package for Access Manager Web Security Runtime.
Uninstalling IBM Tivoli Directory Server language packages

Uninstall any language packages that you installed for IBM Tivoli Directory Server. To find the list of packages to remove, see: v Installing language support packages for IBM Tivoli Directory Server on page 39 Use the commands described for your operating system to remove the language packages.
AIX: Removing language packages

To remove language packages from an AIX system, enter the following command:
installp -u -g packages
where packages specifies the language packages to be removed. Note: Use the g option only if you want dependent software for the specified package removed.
HP-UX: Removing language packages

To remove language packages from an HP-UX or HP-UX on Integrity system, enter the following command:
swremove packages
where packages specifies the language packages to be removed.
Linux: Removing language packages

To remove language packages from a Linux system, enter the following command:
rpm -e packages
Solaris: Removing language packages

To remove language packages from a Solaris or Solaris on x86_64 system, enter the following command:
pkgrm packages
Windows: Removing language packages

To remove language packages from a Windows system, do the following: 1. In the Control Panel, click Add/Remove Programs. 2. Select IBM Tivoli Directory Server 6.1 Language Pack. Click Change/Remove.
45
3. 4. 5. 6.
On the Welcome window, click Next. Select the language packs you want to uninstall. Click Next. On the confirmation window, to uninstall the selected features, click Next. Click Finish when the uninstallation is complete.
Locale environment variables

As with most current operating systems, localized behavior is obtained by specifying the desired locale. For Tivoli Access Manager software, you set the LANG environment variable to the desired locale name as specified by POSIX, X/Open, or other open systems standards. Note: If you are in a Windows environment, you can alternatively modify the language setting in the Regional Settings of the Control Panel. If you specify the LANG environment variable and modify the regional settings, the LANG environment variable overrides this regional setting. As specified by open systems standards, other environment variables override LANG for some or all locale categories. These variables include the following: v LC_COLLATE v LC_CTYPE v v v v v LC_MONETARY LC_NUMERIC LC_TIME LC_MESSAGES LC_ALL
If any of the previous variables are set, you must remove their setting for the LANG variable to have full effect.
46
LANG variable on UNIX or Linux systems

Most UNIX or Linux systems use the LANG variable to specify the desired locale. Different UNIX or Linux operating systems, however, require different locale names to specify the same language. Be sure to use a value for LANG that is supported by the UNIX or Linux operating system that you are using. To obtain the locale names for your UNIX or Linux system, enter the following:
locale a
The IBM Tivoli Directory Server requires that at least one language pack be installed on all UNIX-based systems for the IBM Tivoli Directory Server client and administrative utilities (for example, idscfgdb or db2dif) to operate correctly. To verify that you have a language package installed for your UNIX or Linux system, enter the following:
locale
If you had loaded a language package (for example bos.loc.iso.en_us), the output of the locale command would be:
LANG=en_US LC_COLLATE="en_US" LC_CTYPE="en_US" LC_MONETARY="en_US" LC_NUMERIC="en_US" LC_TIME="en_US" LC_MESSAGES="en_US" LC_ALL=
If no language packages have been installed, the output would be:

LANG=en_US LC_COLLATE="C" LC_CTYPE="C" LC_MONETARY="C" LC_NUMERIC="C" LC_TIME="C" LC_MESSAGES="C" LC_ALL=
47
LANG variable on Windows systems

Most operating systems do not use the LANG environment variable. Tivoli Access Manager software, however, can use LANG to determine the desired language. To do so, set the LANG environment variable to the canonical locale name based on the ISO language or territory codes without a code set suffix. For example: v fr is the locale for standard French v ja is the locale for Japanese v pt_BR is the locale for Brazilian Portuguese v C is the locale for English in C locale
Using locale variants

Although Tivoli Access Manager software currently provides only one translated version for each language, you can use a preferred locale variant, and Tivoli Access Manager finds the corresponding language translation. For example, Tivoli Access Manager provides one translation for French, but each of the following locale settings finds the appropriate translation: v fr is the locale name for standard French v fr_FR is the locale name for French in France v fr_CA is the locale name for French in Canada v fr_CH is the locale name for French in Switzerland
48
Message catalogs
Message catalogs are typically installed in a msg subdirectory and each of these message catalogs is installed under a language-specific subdirectory. For example, the Tivoli Access Manager base components use the following directories: v On UNIX or Linux systems: /opt/PolicyDirector/nls/msg/locale v On Windows systems: install_dir/nls/msg/locale Other Tivoli Access Manager components use similar directories for their message catalogs. Tivoli Access Manager recognizes variations in UNIX or Linux locale names and is usually able to map the specified value to the appropriate message catalog. The NLSPATH environment variable is used to find the appropriate message catalog directory, as specified by open systems standards. For example, if the message catalogs are in /opt/PolicyDirector/nls/msg, the NLSPATH variable is set to the following:
/opt/PolicyDirector/nls/msg/%L/%N.cat:/opt/PolicyDirector/nls/msg/%L/%N
Note: For Windows, use a semicolon (;) instead of a (:) as the separator. For example:
C:\Program Files\PolicyDirector\nls\msg\%L\%N.cat;C:\Program Files\PolicyDirector\nls\msg\%L\%N
The %L directive is expanded to the message catalog directory that most closely matches the current user language selection, and %N.cat expands to the desired message catalog. If a message catalog is not found for the desired language, the English C message catalogs are used. For example, suppose you specify the AIX locale for German in Switzerland as follows:
LANG=De_CH.IBM-850
The %L directive is expanded in the following order to locate the specified locale: 1. de_CH 2. de 3. C Because Tivoli Access Manager does not provide a German in Switzerland language package, de_CH is not found. If the Tivoli Access Manager German language package is installed, de is used. Otherwise, the default locale C is used, causing text to be displayed in English.
49
Text encoding (code set) support

Different operating systems often encode text in different ways. For example, Windows systems use SJIS (code page 932) for Japanese text, but UNIX or Linux systems often use eucJP. In addition, multiple locales can be provided for the same language so that different code sets can be used for the same language on the same machine. Providing multiple locales for the same language can cause problems when text is moved from system to system or between different locale environments. Tivoli Access Manager addresses these problems by using Unicode and UTF-8 (the multibyte form of Unicode) as the internal canonical representation for text. Message catalogs are encoded using UTF-8, and the text is converted to the locale encoding before being presented to the user. In this way, the same French message catalog files can be used to support a variety of Latin 1 code sets, such as ISO8859-1, Microsoft 1252, IBM PC 850, and IBM MVS 1047. UTF-8 is also used to achieve text interoperability. For example, Common Object Request Broker Architecture (CORBA) strings are transmitted as UTF-8. This enables remote management within a heterogeneous network in which local text encoding can vary. For example, Japanese file names can be manipulated on Japanese PC endpoints from a desktop executing in the UNIX Japanese EUC locale. Text interoperability across the secure domain is also achieved by storing strings as UTF-8 within the Tivoli object database. Strings are converted to the local encoding for viewing and manipulation by applications that are executing on different operating system code sets.
Location of code set files

Interoperability across your secure domain depends on code set files, which are used to perform UTF-8 conversion and other types of encoding-specific text processing. These files are installed in the following directories: v On UNIX or Linux systems: /opt/PolicyDirector/nls/TIS v On Windows systems: install_dir\nls\TIS
50
Part 2. Base system installation

Chapter 3. Setting up the registry server. . . . 53 Setting up IBM Tivoli Directory Server . . . . . 54 Preinstallation requirements . . . . . . . . 54 Installing using the installation wizard . . . . 57 Installing using native utilities . . . . . . . 58 Preinstallation requirements for native installations . . . . . . . . . . . . 59 License terms for Tivoli Directory Server . . 61 AIX: Installing IBM Tivoli Directory Server . . 62 HP-UX: Installing IBM Tivoli Directory Server 67 Linux: Installing IBM Tivoli Directory Server 72 Solaris: Installing IBM Tivoli Directory Server 78 Windows: Installing IBM Tivoli Directory Server . . . . . . . . . . . . . . 83 Configuring a directory server instance for IBM Tivoli Directory Server. . . . . . . . . . 87 Creating an instance with the Instance Administration Tool . . . . . . . . . 87 Migrating an instance . . . . . . . . . 95 Setting the administrator DN and password for a directory instance . . . . . . . . 96 Configuring the database for a directory instance . . . . . . . . . . . . . 97 Creating a backup of a directory instance . . 99 Configuring a suffix for a directory instance 99 Configuring IBM Tivoli Directory Server for Tivoli Access Manager . . . . . . . . . 100 Using the Web Administration Tool . . . . 101 Using the command line . . . . . . . 104 Setting up IBM z/OS LDAP Server . . . . . . 105 Updating schema files . . . . . . . . . 106 Adding suffixes . . . . . . . . . . . 106 Configuring Tivoli Access Manager for LDAP 106 Native authentication user administration . . . 107 Setting up Lotus Domino . . . . . . . . . 108 Creating a Tivoli Access Manager administrative user for Domino (versions 6.5, 7.0.1, 7.0.2, and 8.0) . . . . . . . . . . . . . . . . 110 Determining if the Tivoli Access Manager ID has access to create a database on a server. . 111 Adding a user to the access control list and set the access level. . . . . . . . . . 111 Defining an administration server for a database . . . . . . . . . . . . . 112 Installing a Lotus Notes client on a Tivoli Access Manager system . . . . . . . . . . . 112 Setting up Microsoft Active Directory . . . . . 114 Active Directory considerations . . . . . . 114 Creating an Active Directory domain . . . . 115 Joining an Active Directory domain . . . . . 116 Creating an Active Directory administrative user 118 Changing Active Directory replication settings 119 Setting up Microsoft Active Directory Application Mode (ADAM) . . . . . . . . . . . . . 119 Installing and configuring Active Directory Application Mode (ADAM) for Tivoli Access Manager (Overview) . . . . . . . . . . Installing Access Manager with support for Active Directory Application Mode (ADAM) . . Configuring the Tivoli Access Manager schema for Active Directory Application Mode (ADAM). Configuring Tivoli Access Manager location for Active Directory Application Mode (ADAM) . . . . . . . . . . . . . Configuring a default Tivoli Access Manager directory partition . . . . . . . . . . . Configuring a non-default Tivoli Access Manager directory partition . . . . . . Adding an administrator to the Tivoli Access Manager metadata directory partition . . . . Allowing anonymous bind . . . . . . . . Setting up Novell eDirectory . . . . . . . . Configuring the Novell eDirectory for Tivoli Access Manager . . . . . . . . . . . When using Novell eDirectory . . . . . . Management domain location . . . . . . . Setting up the Sun Java System Directory Server 120 120 121
122 123 124 124 126 127 127 129 130 132
Chapter 4. Setting up a policy server . . . . 137 LDAP data format selection . . . . . . . . 137 Tivoli Access Manager management domains. . . 138 Creating a management domain location (example). . . . . . . . . . . . . . 139 Password change does not work in a multidomain environment . . . . . . . 140 Management domain location for an Active Directory Application Mode (ADAM) registry . 140 Installing using the installation wizard . . . . . 141 Installing using native utilities. . . . . . . . 142 AIX: Installing the policy server . . . . . . 142 HP-UX: Installing the policy server . . . . . 144 Linux: Installing the policy server . . . . . 146 Solaris: Installing the policy server . . . . . 147 Windows: Installing the policy server . . . . 149 Chapter 5. Setting up an authorization server Installing using the installation wizard . . . . Installing using native utilities. . . . . . . AIX: Installing an authorization server . . . HP-UX: Installing an authorization server . . Linux: Installing an authorization server . . Solaris: Installing an authorization server . . Windows: Installing an authorization server . 153 154 155 155 156 158 159 161 163 163 164 164 165
. . . . . . .
Chapter 6. Setting up a development system Installing using the installation wizard . . . . . Installing using native utilities. . . . . . . . AIX: Installing a development (ADK) system HP-UX: Installing a development (ADK) system
51
Linux: Installing a development (ADK) system 167 Solaris: Installing a development (ADK) system 168 Windows: Installing a development (ADK) system . . . . . . . . . . . . . . 170 Chapter 7. Setting up an Access Manager Runtime for Java system . . . . . . . . . Installing using the installation wizard . . . . . Installing using native utilities. . . . . . . . AIX: Installing Access Manager Runtime for Java . . . . . . . . . . . . . . . HP-UX: Installing Access Manager Runtime for Java . . . . . . . . . . . . . . . Linux: Installing Access Manager Runtime for Java . . . . . . . . . . . . . . . Solaris: Installing Access Manager Runtime for Java . . . . . . . . . . . . . . . Windows: Installing Access Manager Runtime for Java . . . . . . . . . . . . . .
173 173 175 175 176 177 178 180
Chapter 8. Setting up a policy proxy server system . . . . . . . . . . . . . . . 181 Installing using the installation wizard . . . . . 181 Installing using native utilities. . . . . . . . 182 AIX: Installing a policy proxy server . . . . 183 HP-UX: Installing a policy proxy server . . . 184 Linux: Installing a policy proxy server . . . . 185 Solaris: Installing a policy proxy server . . . . 187 Windows: Installing a policy proxy server . . . 188 Chapter 9. Setting up a runtime system. . . Installing using the installation wizard . . . . Installing using native utilities. . . . . . . AIX: Installing Access Manager Runtime . . HP-UX: Installing Access Manager Runtime . Linux: Installing Access Manager Runtime . Starting Tivoli Access Manager components on SUSE Linux Enterprise Server 10 . . . Solaris: Installing Access Manager Runtime . Windows: Installing Access Manager Runtime . . . . . . 191 191 193 193 194 195
. 196 . 197 199
Chapter 10. Setting up a Web Portal Manager system . . . . . . . . . . . . . . . Installing using the installation wizard . . . . . Installing using native utilities. . . . . . . . AIX: Installing a Web Portal Manager system HP-UX: Installing a Web Portal Manager system Linux: Installing a Web Portal Manager system Solaris: Installing a Web Portal Manager system Windows: Installing a Web Portal Manager system . . . . . . . . . . . . . . Configuring WebSphere Application Server security
201 201 203 204 206 208 211 214 216
52
Chapter 3. Setting up the registry server

The first step in establishing a management domain is to set up a registry server for use with Tivoli Access Manager. To install and configure a registry, do one of the following: v To install and configure IBM Tivoli Directory Server (included with Tivoli Access Manager), follow the instructions in Setting up IBM Tivoli Directory Server on page 54. The install_ldap_server installation wizard can be used to streamline the installation and configuration process. You also can consult the IBM Tivoli Directory Server documentation available on the Web at: http://www.ibm.com/software/tivoli/products/directory-server v To install a supported registry other than IBM Tivoli Directory Server, consult the registry products documentation. For a list of supported registries, see Supported registries on page 13. The IBM Tivoli Directory Server client must be used as the registry client for LDAP-based user registries. v To use an existing registry server with Tivoli Access Manager, ensure that you have upgraded the server to a version that is supported by this release of Tivoli Access Manager. For upgrade instructions for IBM Tivoli Directory Server, see the IBM Tivoli Access Manager for e-business: Upgrade Guide. For other supported registries, consult the registry products documentation. Then follow instructions in this chapter to configure your registry for use with Tivoli Access Manager. This chapter includes the following main sections: v Setting up IBM Tivoli Directory Server on page 54 v Setting up IBM z/OS LDAP Server on page 105 v Setting up Lotus Domino on page 108 v Setting up Microsoft Active Directory on page 114 v Setting up Microsoft Active Directory Application Mode (ADAM) on page 119 v Setting up Novell eDirectory on page 127 v Setting up the Sun Java System Directory Server on page 132
53
Setting up IBM Tivoli Directory Server

This section provides information about installing and configuring IBM Tivoli Directory Server as your Tivoli Access Manager registry. You can set up this system using one of the following installation methods: v Installing using the installation wizard on page 57 v Installing using native utilities on page 58 Notes: 1. The Tivoli Directory Server client and server that accompany the Tivoli Access Manager 6.1.1 are not the latest fix packs. Ensure that you have installed the latest fix packs of Tivoli Directory Server client and server in your Tivoli Access Manager environment. If you are installing the Tivoli Access Manager using the installation wizards, you can upgrade the Tivoli Directory Server client and server to the latest fix packs after you install and configure the Tivoli Access Manager. For native installation, you can upgrade the Tivoli Directory Server client and server to the latest fix packs only after you install the Tivoli Directory Server client and server. 2. During Tivoli Access Manager configuration on Linux operating systems, scripts may fail to run, stating that /bin/ksh was not found. On certain versions of SUSE Linux Enterprise Server, Yast-based installation does not install the Korn shell at /bin/ksh. Install the pdksh rpm that matches the hardware on which you are installing Tivoli Access Manager. The appropriate rpm can be found on either the SUSE Linux Enterprise Server installation media, or downloaded from the SUSE Linux Enterprise Server or Novell support web sites. 3. IBM Tivoli Directory Server, IBM Directory Server Web Administration Tool, IBM DB2, and IBM Global Security Kit (GSKit) are on the IBM Tivoli Access Manager Directory Server set of CDs for the supported AIX, HP-UX, Linux, Solaris, and Windows platforms. 4. The server, client, and proxy server can be installed for IBM Tivoli Directory Server if you choose. 5. The IBM Tivoli Directory Server can use an instance, similar to how DB2 uses an instance. Before configuring IBM Tivoli Directory Server, you must create a user identity and group to own the IBM Tivoli Directory Server instance and the DB2 instance. The installation wizard can create the user automatically if you choose. 6. The server and the client for IBM Tivoli Directory Server must be located on the same system. 7. IBM WebSphere Application Server is on the IBM Tivoli Access Manager WebSphere Application Server set of CDs for the supported AIX, HP-UX, Linux, Solaris, and Windows platforms. For complete IBM Tivoli Directory Server product documentation, visit the following Web site: http://www.ibm.com/software/tivoli/products/directory-server
Preinstallation requirements
Before you install and configure IBM Tivoli Directory Server, you must perform the following preinstallation tasks (as required). These requirements are applicable, regardless of which installation method you plan to use.
54
With the exception of Windows on x86 and a Linux on x86 platforms, IBM Tivoli Directory Server requires 64-bit hardware and a 64-bit kernel on all platforms.
v To verify that your AIX system is set up correctly for 64-bit hardware and a 64-bit kernel, review the following: To verify that your AIX hardware is 64-bit, enter the following:
bootinfo y
If results display 64, your hardware is 64-bit. In addition, if you type the command lsattr -El proc0, the output of the command returns the type of processor for your server. If you have any of the following types of processors, you have 64-bit hardware: RS64 I, II, III, IV, POWER3, POWER3 II, POWER4 or POWER5. 64-bit hardware can have either a 32 or 64-bit kernel. To verify that you have a 64-bit kernel (/usr/lib/boot/unix_64) installed and running, enter the following:
bootinfo K
If results display 64, the kernel is 64-bit. However, if results display 32, you must switch from the 32-bit kernel to 64-bit kernel. To do so, follow these steps: 1. Ensure that you have the following 64-bit packages:
bos.64bit bos.mp64
2. To switch to the 64-bit kernel, enter the following commands:

ln -sf /usr/lib/boot/unix_64 /unix ln -sf /usr/lib/boot/unix_64 /usr/lib/boot/unix lslv -m hd5
You should see output from the lslv command similar to the following output:
#lslv -m hd5 hd5:N/A LP PP1 PV1 0001 0001 hdisk0
PP2 PV2
PP3 PV3
Then enter:
bosboot -ad /dev/ipldevice
where ipldevice is the hard disk device shown by running the lslv command. You should see output from the bosboot command similar to the following output:
#bosboot -ad/dev/hdisk0 bosboot: Boot image is 13025 512 byte blocks
Then enter:
shutdown -Fr
Ensure that asynchronous I/O is enabled. To do so, enter the following commands:
/usr/sbin/mkdev -l aio0 /usr/sbin/chdev -l aio0 -P /usr/sbin/chdev -l aio0 -P -a autoconfig=available
v On Linux systems only (all platforms) If you install the Red Hat Enterprise Linux 5 operating system with SELINUX enabled (which is the default), instance creation fails. If you have already
55
installed the operating system and SELINUX is enabled, use the setenforce 0 command to disable it. Then, in the /etc/selinux/config file, change SELINUX=enforcing to SELINUX=disabled . The Korn shell, provided in the pdksh rpm package for all versions of Linux except SUSE LINUX Enterprise Server 10 and Red Hat Enterprise Linux 5, is required. Install the most recent version for your operating system. The pdksh rpm package is not available for SUSE LINUX Enterprise Server 10 or Red Hat Enterprise Linux 5. However, you must install a ksh package. If you want to install the client or a server on Red Hat versions of Linux, you must install the following packages, which are included with the operating system, before you install IBM Tivoli Directory Server:
compat-gcc compat-gcc-c++ compat-libstdc++ compat-libstdc++-devel glibc-devel glibc-headers glibc-kernheaders
Note: You might need to upgrade to the latest patch level of these packages. See the Red Hat support site at http://rhn.redhat.com for patches for Red Hat Enterprise Linux. If you are installing on a Linux operating system, you might need to manually specify some DB2 settings, such as preliminary kernel, operating system and shell parameters, before installing IBM Tivoli Directory Server. See the DB2 documentation for instructions on setting these parameters: http://publib.boulder.ibm.com/infocenter/db2luw/v8//index.jsp v On Linux on System z systems only You must install the following packages before you install DB2: Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 4 - compat-libstdc++-295-2.95.3-81.s390.rpm or higher version - compat-libstdc++-295-2.95.3-81.s390x.rpm or higher version - compat-libstdc++-33-3.2.3-47.3.s390.rpm or higher version - compat-libstdc++-33-3.2.3-47.3.s390x.rpm or higher version SUSE Linux Enterprise Server 9: - compat-2004.7.1-1.2.s390x.rpm or higher version - compat-32bit-9-200407011411.s390x.rpm or higher version SUSE Linux Enterprise Server 10: - compat-2006.1.25-11.2.s390x.rpm or higher version - compat-32bit-2006.1.25-11.2.s390x.rpm or higher version v On Linux on System z systems, IBM Tivoli Directory Server requires a 64-bit kernel. To ensure that your system is set up correctly, enter the following command:
uname -m
If the result displays s390x, you are running a 64-bit kernel. If the result displays s390, you are not running a 64-bit kernel.
56
Installing using the installation wizard

The install_ldap_server installation wizard simplifies the setup of an IBM Tivoli Directory Server system by installing and configuring the following components in the appropriate order: v IBM Global Security Kit (GSKit) v IBM DB2 Universal Database, Enterprise Server Edition v IBM Tivoli Directory Server (client, server, and proxy server) For descriptions of configuration options and step-by-step instructions with illustrations, see Installing the IBM Tivoli Directory Server (install_ldap_server wizard) on page 360. Attention: v The installation wizard cannot be used to upgrade an existing IBM Tivoli Directory Server. If Tivoli Directory Server is installed at a previous release level, or 6.1 maintenance level prior to 6.1.0-6, the installation wizard will report an error. See IBM Tivoli Access Manager for e-business: Upgrade Guide for information about upgrading Tivoli Directory Server. In addition, on Linux on System z systems, if a 64-bit Tivoli Directory Server client package prior to level 6.1.0-6 is installed on the system, the installation wizard will fail. The downlevel 64-bit Tivoli Directory Server client package must be removed before running the install wizard. v If you are installing on a Red Hat Enterprise Linux 5 operating system and Security-Enhanced Linux (SELinux) is enabled, you must disable it before installing using the installation wizard. Once you have completed installation and configuration, you can re-enable SELinux and continue to use it. If you do not want to disable SELinux, install using native utilities. v If your system hangs after issuing the wizard command or if a Java error message occurs after issuing the wizard command, ensure that Java is correctly installed. To install and configure an IBM Tivoli Directory Server system using the install_ldap_server wizard, follow these steps. 1. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 2. Perform the preinstallation tasks as listed in Preinstallation requirements on page 54. 3. To view status and messages in a language other than English (default), you must install your language support package before running an installation wizard. For instructions, see Installing language support packages for IBM Tivoli Directory Server on page 39. 4. On Windows systems only, exit from all running programs. 5. If you choose, a self-signed SSL certificate can be generated and placed in a key database file during installation. You can then use the generated keyfile to enable SSL support between your policy server and the IBM Tivoli Directory Server.
57
If you plan to enable SSL using a certificate obtained from a Certificate Authority (CA), ensure that you copy the key database file containing that certificate to a directory on this system and specify that key database file during installation. 6. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed and can be located using the PATH environment variable before running the installation wizard . For instructions, see page 318. Note: To determine whether IBM Java Runtime 1.5.0 SR5 is already in the path, use the java version command. If you have multiple versions of the Java Runtime Environment installed, only the first Java Runtime Environment version encountered is displayed. If the correct version cannot be found, an error occurs. 7. Do one of the following: v If installing on AIX, Linux, Solaris or HP-UX systems, run the install_ldap_server program, located in the root directory on the IBM Tivoli Access Manager Directory Server (1 of 2) CD for your operating system. v If installing on Windows, run the install_ldap_server program, located in the root directory on the IBM Tivoli Access Manager Directory Server for Windows (1 of 3) CD. The installation wizard begins by prompting you for configuration information as described in Installing the IBM Tivoli Directory Server (install_ldap_server wizard) on page 360. Supply the required configuration information, or accept default values. 8. Compare the disk space that is required to install all of the IBM Tivoli Directory Server system components and prerequisites with the disk space that is available. If there is sufficient space, continue the installation. The components are installed and configured without further intervention. 9. Information on configuring Tivoli Directory Server to use SSL security can be found in Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 473. After the installation wizard completes, the password for the key database file can be changed using the iKeyman key management utility that is installed with IBM Global Security Kit (GSKit). For more information, see Setting up the GSKit iKeyman utility on page 315. After you set up IBM Tivoli Directory Server for use with Tivoli Access Manager using the install_ldap_server installation wizard, the next step is to set up the policy server. For instructions, see Chapter 4, Setting up a policy server, on page 137.
Installing using native utilities

The following sections enable you to install the IBM Tivoli Directory Server using a familiar platform-specific utility. Unlike automated installation wizards, you must manually install each component and any prerequisite software in the appropriate order. Complete the instructions that apply to your operating system: v AIX on page 62 v HP-UX on page 67 v Linux on page 72 v Solaris on page 78 v Windows on page 83
58
Preinstallation requirements for native installations

Before you install and configure Tivoli Directory Server using native utilities, you must create a user ID on the system for the owner of the directory server instance. When you create a directory server instance, a user ID on the operating system must exist for the directory server instance owner. For a full server, there must also be user IDs on the operating system for the owners of the database instance and the database. You can use the same user ID for all three roles; if you do this, the directory server instance, the database instance, and the database owner all have the same name. If you use the Instance Administration Tool to create a directory server instance, you can create the directory server instance owner user ID through the tool. If you use the command line to create the directory server instance, you can use the idsadduser command to create the directory server instance owner user ID. This command creates a user ID that meets all requirements. Use the following information to understand the directory server instance owner, database instance owner, and database owner roles before you create the user ID or IDs. The roles are defined as follows: Directory server instance owner You must have a user ID for the owner of the directory server instance. The user ID for the directory server instance owner is also the name of the directory server instance. This user has the authority to manage the directory server instance. Database instance owner This user ID owns the database instance that is configured to be used by the directory server instance. The database instance name and the database instance owner name are the same. This user manages the database instance. The directory server instance owner can also manage the database instance. By default, this user ID is the same as the directory server instance owner ID. Database owner This user ID owns the database that is used by the directory server instance to store the directory data. The database resides in the database instance owned by the database instance owner. The directory server instance uses this user ID and its password to connect to the database. Naming rules: The requirements in this section apply to the following: v The directory server instance name (the user ID that owns the directory server instance). v The database instance name (the user ID that owns the database instance). This is usually the same as the directory server instance name . v On AIX, Linux, Solaris, and HP-UX, the primary groups of the directory server instance owner user ID and the database instance owner user ID. These user and group IDs: v Can be no longer than 8 characters v Cannot be any of the following: USERS
59
ADMINS GUESTS PUBLIC LOCAL idsldap
v Cannot begin with any of the following: IBM SQL SYS v Cannot include accented characters v Can include the following characters: A through Z a through z 0 through 9 v Must begin with one of the following characters: A through Z a through z Additional restrictions for users and groups: In addition to the naming rules, be sure that the following requirements are met: v On AIX, Linux, Solaris, and HP-UX systems: The root ID must be a member of the primary group of the directory server instance owner and the database instance owner. The root ID must be a member of the idsldap group. The directory server instance owner and the database instance owner must be members of the idsldap group. The directory server instance owner and the database instance owner must have home directories. The specific permissions for the home directory of the directory server instance owner must be as follows: - The user ownership is the directory server instance owner. - The group ownership is the directory server instance owner's primary group. - The directory server instance owner and its primary group must have read, write, and execute permissions to the home directory. The directory server instance owner and its primary group must have read, write, and execute access to the location where the database will be created. If the directory server instance owner and the database instance owner for a given directory server instance are different users, the directory server instance owner must be a member of the database instance owner's primary group. The database instance owner and the database owner for a given directory server instance must have the same primary group. For best results, the login shell of the directory server instance owner, the database instance owner, and the database owner should be the Korn shell script (/usr/bin/ksh). The password of the directory server instance owner, the database instance owner, and the database owner must be set correctly and ready to use. For example, the password cannot be expired or waiting for a first-time validation
60
of any kind. (The best way to verify that the password is correctly set is to telnet to the same computer and successfully log in with that user ID and password.) When configuring the database, it is not necessary, but customary, to specify the home directory of the database instance owner as the database location. However, if you specify some other location, the database instance owner's home directory still must have 3 to 4 MB of space available. This is because DB2 creates links and adds files into the home directory of the database instance owner even though the database itself is elsewhere. If you do not have enough space in the home directory, you can either create enough space or change the database instance owner's home directory. v On Windows systems, The directory server instance owner and the database instance owner must be members of the Administrators group. The database instance owner must have the locale set to the correct locale for the language in which you want server messages to be displayed. If necessary, log in as the user and change the locale to the correct one. Creating instance owners: examples: You can use the idsadduser command to create instance owners that meet the requirements for a directory server instance owner. For example: v The following command creates a new user on anAIX, Linux, Solaris, or HP-UX system with user name JoeSmith. The primary group is employees, the home directory is /home/joe, and the password is joespw.
idsadduser -u JoeSmith &endash;g employees &endash;l /home/joe -w joespw
v The following command creates a new user on a Windows system with user name JoeSmith and password joespw. The user is a member of the Administrators
group.idsadduser -u JoeSmith -w joespw
License terms for Tivoli Directory Server

Tivoli Access Manager provides a limited-use license for Tivoli Directory Server. The license provides support for Tivoli Directory Server client and the Tivoli Directory Server full server components. Tivoli Directory Server includes additional components that are not required by Tivoli Access Manager. These optional components include the Tivoli Directory Server proxy server and Tivoli Directory Server White Pages. The limited-use license does not provide support for Tivoli Directory Server proxy server or Tivoli Directory Server White Pages. To be entitled to support for these optional features, you must purchase a full-use license for Tivoli Directory Server. To obtain a full-use license, access the IBM Passport Advantage Web site:http://www.ibm.com/software/passportadvantage On the Web site, navigate to the Tivoli Directory Server page, and follow the instructions for buying the product.
61
AIX: Installing IBM Tivoli Directory Server

To set up an IBM Tivoli Directory Server system on AIX using the installp utility, follow these steps. Note: Install your registry server on a system separate from the policy server. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Perform preinstallation tasks as listed in Preinstallation requirements on page 54 and Preinstallation requirements for native installations on page 59. 4. Insert the IBM Tivoli Access Manager Directory Server for AIX (1 of 2) CD and mount it. 5. Install IBM DB2. a. Use the db2_install utility.
/CD1_mount_point/usr/sys/inst.images/db2/db2_install
b. When the db2_install utility prompts for a keyword, enter ESE. c. When the installation completes, verify that the installation was successful by reviewing the contents of the log file:
/tmp/db2_install_log.99999
The suffix 99999 will be replaced by a number that is unique to your installation. 6. Apply the IBM DB2 license.
/db2_install_path/adm/db2licm -a /CD1_mount_point/common/db2ese.lic
For example:
/opt/IBM/db2/V9.1/adm/db2licm -a /CD1_mount_point/common/db2ese.lic
To install IBM Tivoli Directory Server on a multiprocessor machine, DB2 has special licensing that is based on the number of processors that will be used. In some cases, it might be necessary to run the DB2 command to force the licensing to allow multiple processors; for example:
/opt/IBM/db2/V9.1/adm/db2licm -n db2ese 101 force
where 101 is the default number of processors. If no number is specified, the license applies only for a single processor. If running this command produces the following error, you an safely ignore it:
The license policy specified does not apply to this product or is not supported.
7. Mount the IBM Tivoli Access Manager Directory Server for AIX (2 of 2) CD. 8. Install the client packages of IBM Tivoli Directory Server. At a command prompt, enter:
installp -acgXd cd_mount_point/usr/sys/inst.images packages
Table 9 on page 63 lists the packages required for each client type. Install the packages for your client in the order specified. To install multiple packages, separate the package names by a blank space.
62
Table 9. Client packages for AIX Client 32-bit client (no SSL) Packages 1. 2. 1. 2. 3. 64-bit client (no SSL) 1. 2. 1. 2. 3. Java client idsldap.cltbase61 idsldap.clt32bit61 idsldap.cltbase61 idsldap.clt32bit61 Package descriptions 1. Base Client runtime and Base Client SDK 2. 32-bit client (no SSL) 32-bit client (SSL) 1. Base Client runtime and Base Client SDK
idsldap.clt_max_crypto32bit61 2. 32-bit client (no SSL) 3. 32-bit client (SSL) idsldap.cltbase61 idsldap.clt64bit61 idsldap.cltbase61 idsldap.clt64bit61 1. Base Client runtime and Base Client SDK 2. 64-bit client (no SSL)
64-bit client (SSL)
1. Base Client runtime and Base Client SDK
idsldap.clt_max_crypto64bit61 2. 64-bit client (no SSL) 3. 64-bit client (SSL) Java client required for X11 support
idsldap.cltjava61
Note: Full server versions require an X11 environment. For a client with no X11 requirements, install the 32-bit or 64-bit client as you would if you required an X11 environment. 9. Install the server packages of IBM Tivoli Directory Server. At a command prompt, enter:
Table 10 lists the packages required for each server type. Install the packages for your server in the order specified. To install multiple packages, separate the package names by a blank space. Notes: a. The 64-bit server (no SSL) is dependent on prior installation of the 64-bit client (no SSL) packages. b. The 64-bit server (SSL) is dependent on prior installation of the 64-bit client (SSL) packages. c. Both the 64-bit server (no SSL) and the 64-bit server (SSL) are dependent on prior installation of the Java client package for X11 support.
Table 10. Server packages for AIX Server 64-bit Server (no SSL) Packages 1. 2. 3. 64-bit Server (SSL) idsldap.srvbase64bit61 idsldap.srv64bit61 idsldap.msg61.en_US Package description 1. Base Server (no SSL) 2. Directory Server 64-bit 3. English messages 1. Base Server (no SSL) 2. Base Server (SSL) 3. Directory Server 64-bit 4. English messages
1. idsldap.srvbase64bit61 2. idsldap.srv_max_cryptobase64bit61 3. idsldap.srv64bit61. 4. idsldap.msg61.en_US
63
10. Install and configure the Web Administration Tool package of IBM Tivoli Directory Server. You must also install an application server. Complete the following steps: a. Install the Web Administration Tool package for your deployment: v Web Administration Tool (No SSL)
installp acgyYXd cd_mount_point/usr/sys/inst.images idsldap.webadmin61
v Web Administration Tool (SSL)

installp acgyYXd cd_mount_point/usr/sys/inst.images idsldap.webadmin_max_crypto61 idsldap.webadmin61
b. Install an application server such as WebSphere Application Server. See AIX: Installing WebSphere Application Server on page 333. c. Configure the Web Administration Tool into the application server. See Installing the Web Administration Tool into WebSphere on page 344. 11. English messages are automatically installed with the IBM Tivoli Directory Server package. If you require a different language version of the message files and documentation, install them from the IBM Tivoli Access Manager Language Support for AIX CD. For instructions, see Installing language support packages for IBM Tivoli Directory Server on page 39. To see the language versions that are available, enter the following:
installp -ld cd_mount_point/usr/sys/inst.images | grep idsldap
A list of installable IBM Tivoli Directory Server packages is displayed. 12. When installation is completed, the system generates an installation summary. Verify that the last column in the summary displays SUCCESS for all loaded files. You can also verify that IBM Tivoli Directory Server was installed successfully by entering the following command:
lslpp -aL idsldap.*
The output displayed lists all the filesets starting with idsldap. This list includes the server, client, Web Administration Tool, HTML, and message filesets. For example:
idsldap.clt32bit61.rte 6.1.0.6 C F Directory Server - 32 bit idsldap.clt64bit61.rte 6.1.0.6 C C C C C C C C C F F F F F F F F F Client Directory Server - 64 bit Client Directory Server - 32 bit Client (SSL) Directory Server - 64 bit Client (SSL) Directory Server Base Client Directory Server Base Client Directory Server Java Client Directory Server Messages U.S. English (en) Directory Server - 64 bit Server Directory Server - Base Server
idsldap.clt_max_crypto32bit61.rte 6.1.0.6 idsldap.clt_max_crypto64bit61.rte 6.1.0.6 idsldap.cltbase61.adt idsldap.cltbase61.rte idsldap.cltjava61.rte idsldap.msg61.en_US idsldap.srv64bit61.rte idsldap.srvbase64bit61.rte 6.1.0.6 idsldap.srv_max_cryptobase64bit61.rte 6.1.0.6 6.1.0.6 6.1.0.6 6.1.0.6 6.1.0.6
64
6.1.0.6 idsldap.webadmin61.rte 6.1.0.6
C C C
F F F
Directory Server - Base Server (SSL) Directory Server - Web Administration Directory Server - Web Administration (SSL)
idsldap.webadmin_max_crypto61.rte 6.1.0.6
13. Install IBM Global Security Kit (GSKit). v When your installation has only the client packages for Tivoli Directory Server, install the 32-bit runtime package:
installp -acgYXd cd_mount_point/usr/sys/inst.images gskta.rte
v When your installation has both the client and server packages for Tivoli Directory Server, install the 64-bit runtime package:
installp -acgYXd cd_mount_point/usr/sys/inst.images gsksa.rte
14. Install IBM Tivoli Directory Integrator, if required for your deployment. IBM Tivoli Directory Integrator is required if you have installed a Directory Server and want to use any of the following features: v The idssupport tool This tool gathers information from your system that you can supply to IBM Software Support if you encounter problems. v The idslogmgmt tool v Simple Network Management Protocol (SNMP). v Active Directory synchronization For more information: v For IBM Tivoli Directory Integrator installation instructions, see the installation information provided with the IBM Tivoli Directory Integrator CD. The IBM Tivoli Directory Integrator CD is included with the IBM Tivoli Access Manager for e-business CD bundle . v See the IBM Tivoli Directory Server Version 6.1 Problem Determination Guide for information on idssupport and idslogmgmt. v See the IBM Tivoli Directory Server version 6.1 Administration Guide for information on SNMP and Active Directory synchronization. Configure the server instance using the instance administration tool, idsxinst. For instructions about configuring the server instance using the instance administration tool, idsxinst, see Creating an instance with the Instance Administration Tool on page 87. Define the LDAP administrator distinguished name (DN) and password and then configure the database that will store the directory data. For instructions, see Setting the administrator DN and password for a directory instance on page 96. After completion of IBM Tivoli Directory Server installation, you must configure IBM Tivoli Directory Server for use with Tivoli Access Manager. For instructions, see page 100. Optionally, you can install the Tivoli Directory Server proxy server. Note: You must obtain an additional license to use this feature. See License terms for Tivoli Directory Server on page 61. To install the proxy server, enter:
15.
16.
17.
18.
Table 11 on page 66 lists the packages required for each proxy server type. Install the packages for your server in the order specified.
65
To install multiple packages, separate the package names by a blank space.

Table 11. Proxy server packages for AIX Server 64-bit Proxy Server (no SSL) Packages 1. idsldap.srvbase64bit61 2. idsldap.srvproxy64bit61 3. idsldap.msg61.en_US 64-bit Proxy Server (SSL) 1. idsldap.srvbase64bit61 2. idsldap.srv_max_cryptobase64bit61 3. idsldap.srvproxy64bit61. 4. idsldap.msg61.en_US Package description 1. Base Server (no SSL) 2. Proxy Server 64-bit 3. English messages 1. Base Server (no SSL) 2. Base Server (SSL) 3. Proxy Server 64-bit 4. English messages
After you install the Tivoli Directory Server proxy server, see Chapter 25, Setting up a Tivoli Directory Server proxy environment, on page 535 for an example scenario of the steps needed to setting up a Tivoli Directory Server proxy environment when using Tivoli Access Manager. 19. Optionally, you can install the Tivoli Directory Server White Pages. Note: You must obtain an additional license to use this feature. See License terms for Tivoli Directory Server on page 61. For installation requirements and instructions, see the IBM Tivoli Directory Server White Pages document. After you set up IBM Tivoli Directory Server for use with Tivoli Access Manager, the next step is to set up the policy server. For instructions, see Chapter 4, Setting up a policy server, on page 137.
66
HP-UX: Installing IBM Tivoli Directory Server

To set up an IBM Tivoli Directory Server system on HP-UX or HP-UX on Integrity, follow these steps. Note: Install your registry server on a system separate from the policy server. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Perform preinstallation tasks as listed in Preinstallation requirements on page 54. 4. Insert the CD for your platform: v IBM Tivoli Access Manager Directory Server for HP-UX (1 of 2) v IBM Tivoli Access Manager Directory Server for HP-UX on Integrity (1 of 2) 5. Mount the CD using the HP-UX mount command. For example, enter the following command:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. 6. Install IBM DB2. a. Use the db2_install utility. v For HP-UX:
/cd-rom_mount-point/hp/db2/db2_install

/cd-rom_mount-point/hp_ia64/db2/db2_install
For example:
8. Insert and mount the CD for your platform:

67
v IBM Tivoli Access Manager Directory Server for HP-UX (2 of 2) v IBM Tivoli Access Manager Directory Server for HP-UX on Integrity (2 of 2) 9. Install the client packages of IBM Tivoli Directory Server. v HP-UX
swinstall -s /cd_mount_point/hp packages
v HP-UX on Integrity
swinstall -s /cd_mount_point/hp_ia64 packages
Table 12 lists the packages required for each client type. Install the packages for your client in the order specified. Notes: a. The package names are the same for both HP-UX and HP-UX on Integrity. b. If you plan to install either the IBM Tivoli Directory Server full server or proxy server, you must install the 64-bit client package.
Table 12. Client packages for HP-UX Client type 32-bit client Packages 1. idsldap-cltbase61 2. idsldap-clt32bit61 3. idsldap-cltjava61 64-bit client 1. idsldap-cltbase61 2. idsldap-clt64bit61 3. idsldap-cltjava61 Package descriptions 1. Base Client 2. 32-bit Client 3. Java Client 1. Base Client 2. 64-bit Client 3. Java Client
10. Install the server packages of IBM Tivoli Directory Server. v HP-UX
Table 13 lists the packages required for the server. Install the packages in the order specified. Notes: a. The package names are the same for both HP-UX and HP-UX on Integrity. b. The IBM Tivoli Directory Server full server is dependent on prior installation of the 64-bit client package.
Table 13. Server packages for HP-UX Server type Full server Packages 1. idsldap-srvbase64bit61 2. idsldap-srv64bit61 3. idsldap-msg61en Package descriptions 1. Base server 2. Full server 3. Messages U.S. English
11. Install and configure the Web Administration Tool package of IBM Tivoli Directory Server. You must also install an application server. Complete the following steps: a. Install the Web Administration Tool package: v For HP-UX
swinstall -s /cd_mount_point/hp idsldap-webadmin61
68
v For HP-UX on Integrity

swinstall -s /cd_mount_point/hp_ia64 idsldap-webadmin61
b. Install an application server such as WebSphere Application Server. See HP-UX: Installing WebSphere Application Server on page 334. c. Configure the Web Administration Tool into the application server. See Installing the Web Administration Tool into WebSphere on page 344. 12. Install IBM Global Security Kit (GSKit) for your platform. v HP-UX 32-bit
swinstall -s /cd_mount_point/hp gsk7bas
v HP-UX 64-bit
swinstall -s /cd_mount_point/hp gsk7bas64
v HP-UX on Integrity 32-bit

swinstall -s /cd_mount_point/hp_ia64 gsk7bas32

13. English messages are automatically installed with the IBM Tivoli Directory Server package. If you require a different language version of the message files and documentation, install them from the IBM Tivoli Access Manager Language Support for HP-UX or IBM Tivoli Access Manager Language Support for HP-UX on Integrity CD. 14. Install IBM Tivoli Directory Integrator, if required for your deployment. IBM Tivoli Directory Integrator is required if you have installed a Directory Server and want to use any of the following features: v The idssupport tool This tool gathers information from your system that you can supply to IBM Software Support if you encounter problems. v The idslogmgmt tool v Simple Network Management Protocol (SNMP). v Active Directory synchronization For more information: v For IBM Tivoli Directory Integrator installation instructions, see the installation information provided with the IBM Tivoli Directory Integrator CD. The IBM Tivoli Directory Integrator CD is included with the IBM Tivoli Access Manager for e-business CD bundle . v See the IBM Tivoli Directory Server Version 6.1 Problem Determination Guide for information on idssupport and idslogmgmt. v See the IBM Tivoli Directory Server version 6.1 Administration Guide for information on SNMP and Active Directory synchronization. 15. You might need to update kernel parameters in the /etc/system file before you use the database. A utility called db2osconf is provided with some versions of DB2 for HP-UX. The db2osconf utility determines the correct kernel settings for your computer. The command for configuring kernel parameters varies by operating system, hardware, and DB2 version. For more information, see the DB2 documentation. You can also search DB2 technotes for additional information. 16. Configure the server instance using the instance administration tool, idsxinst.
69
For instructions, see Creating an instance with the Instance Administration Tool on page 87. For detailed information, see the IBM Tivoli Directory Server Installation and Configuration Guide. 17. Define the LDAP administrator DN and password and then configure the database that will store the directory data. For instructions, see Setting the administrator DN and password for a directory instance on page 96. 18. After completion of IBM Tivoli Directory Server installation, you must configure IBM Tivoli Directory Server for use with Tivoli Access Manager. For instructions, see page 100. 19. Use the IBM Global Security Kit (GSKit) iKeyman utility to enable SSL communication between your supported registry server and IBM Tivoli Directory Server clients. To do so, follow these steps: a. Set up the iKeyman utility. For instructions, see Setting up the GSKit iKeyman utility on page 315. b. Enable SSL with a supported registry server. For instructions, see Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 473. Note: For more information about using the iKeyman utility, see the IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide. 20. Optionally, you can install the Tivoli Directory Server proxy server. Note: You must obtain an additional license to use this feature. See License terms for Tivoli Directory Server on page 61. To install the proxy server, enter: v HP-UX
Table 14 lists the packages required for the server. Install the packages in the order specified. Notes: a. The package names are the same for both HP-UX and HP-UX on Integrity. b. The IBM Tivoli Directory Server proxy server is dependent on prior installation of the 64-bit client package.
Table 14. Proxy server packages for HP-UX Server type Proxy server Packages 1. idsldap-srvbase64bit61 2. srvproxy64bit61 3. idsldap-srvproxy64bit61 Package descriptions 1. Base server 2. Proxy server 3. Messages U.S. English
After you install the Tivoli Directory Server proxy server, see Chapter 25, Setting up a Tivoli Directory Server proxy environment, on page 535 for an example scenario of the steps needed to setting up a Tivoli Directory Server proxy environment when using Tivoli Access Manager. 21. Optionally, you can install the Tivoli Directory Server White Pages. Note: You must obtain an additional license to use this feature. See License terms for Tivoli Directory Server on page 61.
70
For installation requirements and instructions, see the IBM Tivoli Directory Server White Pages document. After you set up IBM Tivoli Directory Server for use with Tivoli Access Manager, the next step is to set up the policy server. For instructions, see Chapter 4, Setting up a policy server, on page 137.
71
Linux: Installing IBM Tivoli Directory Server

Note to Linux on System z users: You must first obtain access to the Linux rpm files which are located in the /CD_mount_point/linux_s390 directory on the IBM Tivoli Access Manager Base for Linux on System z CD. To install the IBM Tivoli Directory Server on a supported Linux system, follow these steps. Note: Install your registry server on a system separate from the policy server. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Perform the preinstallation tasks as listed in Preinstallation requirements on page 54. 4. Insert and mount the CD for your platform: v IBM Tivoli Access Manager Directory Server for Linux on x86 (1 of 2) v IBM Tivoli Access Manager Directory Server for Linux on System z (1 of 2) v IBM Tivoli Access Manager Directory Server for Linux on POWER (1 of 2) 5. Install IBM DB2. a. Use the db2_install utility for your platform. For example, when /mnt/cdrom is the mount point for your CD: v Linux on x86
/mnt/cdrom/linux_i386/db2/db2_install
v Linux on System z
/mnt/cdrom/linux_s390/db2/db2_install
v Linux on POWER
/mnt/cdrom/linux_ppc/db2/db2_install
For example:
72
7. Insert and mount the CD for your platform: v IBM Tivoli Access Manager Directory Server for Linux on x86 (2 of 2) v IBM Tivoli Access Manager Directory Server for Linux on System z (2 of 2) v IBM Tivoli Access Manager Directory Server for Linux on POWER (2 of 2) 8. Install the client packages of IBM Tivoli Directory Server for your deployment.
rpm -ihv packages
Table 15 lists the packages required for each client type. Install the packages for your client in the order specified. Note: On System z and POWER, when you intend to also install the server, install the 64-bit client because the server is 64-bit.
Table 15. Client packages for Linux platforms Client type Linux on x86, 32-bit client Packages 1. idsldap-cltbase61-6.1.0-6.i386.rpm 2. idsldap-clt32bit61-6.1.0-6.i386.rpm 3. idsldap-cltjava61-6.1.0-6.i386.rpm Linux on System z, 32-bit client 1. idsldap-cltbase61-6.1.0-6.s390.rpm 2. idsldap-clt32bit61-6.1.0-6.s390.rpm 3. idsldap-cltjava61-6.1.0-6.s390.rpm Linux on System z, 64-bit client 1. idsldap-cltbase61-6.1.0-6.s390.rpm 2. idsldap-clt64bit61-6.1.0-6.s390x.rpm 3. idsldap-cltjava61-6.1.0-6.s390.rpm Linux on POWER, 32-bit client 1. idsldap-cltbase61-6.1.0-6.ppc.rpm 2. idsldap-clt32bit61-6.1.0-6.ppc.rpm 3. idsldap-cltjava61-6.1.0-6.ppc.rpm Linux on POWER, 64-bit client 1. idsldap-cltbase61-6.1.0-6.ppc.rpm 2. idsldap-clt64bit61-6.1.0-6.ppc.rpm 3. idsldap-cltjava61-6.1.0-6.ppc.rpm Package descriptions 1. Base client 2. 32-bit client 3. Java client 1. Base client 2. 32-bit client 3. Java client 1. Base client 2. 64-bit client 3. Java client 1. Base client 2. 32-bit client 3. Java client 1. Base client 2. 64-bit client 3. Java client
9. Install the server packages of IBM Tivoli Directory Server for your deployment.
rpm -ihv packages
Table 16 on page 74 lists the packages required for each server type. Install the packages for your server in the order specified. Notes: a. The Linux on x86 server is dependent on prior installation of the Linux on x86 32-bit client. b. The Linux on System z server is dependent on prior installation of the Linux on System z 64-bit client. c. The Linux on POWER server is dependent on prior installation of the Linux on POWER 64-bit client.
73
Table 16. Server packages for Linux platforms Server type Linux on x86 Packages 1. idsldap-srvbase32bit61-6.1.0-6.i386.rpm 2. idsldap-srv32bit61-6.1.0-6.i386.rpm 3. idsldap-msg61-en-6.1.0-6.i386.rpm Linux on System z 1. idsldap-srvbase64bit61-6.1.0-6.s390x.rpm 2. idsldap-srv64bit61-6.1.0-6.s390x.rpm 3. idsldap-msg61-en-6.1.0-6.s390.rpm Linux on POWER 1. idsldap-srvbase64bit61-6.1.0-6.ppc64.rpm 2. idsldap-srv64bit61-6.1.0-6.ppc64.rpm 3. idsldap-msg61-en-6.1.0-6.ppc.rpm Package descriptions 1. Base server 2. 32-bit server 3. English messages 1. Base server 2. 64-bit server 3. English messages 1. Base server 2. 64-bit server 3. English messages
10. Install and configure the Web Administration Tool package of IBM Tivoli Directory Server. You must also install an application server. Complete the following steps: a. Install the Web Administration Tool package for your deployment. v Linux on x86
rpm -ihv idsldap-webadmin61-6.1.0-6.i386.rpm
v Linux on System z
rpm -ihv idsldap-webadmin61-6.1.0-6.s390.rpm
v Linux on POWER
rpm -ihv idsldap-webadmin61-6.1.0-6.ppc.rpm
b. Install an application server such as WebSphere Application Server. See Linux: Installing WebSphere Application Server on page 335. c. Configure the Web Administration Tool into the application server. See Installing the Web Administration Tool into WebSphere on page 344. 11. Upgrade the IBM Global Security Kit (GSKit) package for your platform. v Linux on x86
rpm -Uhv gsk7bas-7.0-4.11.i386.rpm
v Linux on System z, 64-bit

rpm -Uhv gsk7bas64-7.0-4.11.s390x.rpm
and
rpm -Uhv gsk7bas-7.0-4.11.s390.rpm
v Linux on POWER, 32-bit

rpm -Uhv gsk7bas-7.0-4.11.ppc32.rpm

rpm -Uhv gsk7bas64-7.0-4.11.ppc64.rpm
and
rpm -Uhv gsk7bas-7.0-4.11.ppc32.rpm
12. English messages are automatically installed with the IBM Tivoli Directory Server package. If you require a different language version of the message files and documentation, install them from the CD for your platform: v IBM Tivoli Access Manager Language Support for Linux on x86 v IBM Tivoli Access Manager Language Support for Linux on System z v IBM Tivoli Access Manager Language Support for Linux on POWER
74
For instructions, see Installing language support packages for IBM Tivoli Directory Server on page 39. 13. Verify that the packages have been installed correctly:
rpm -qa | grep idsldap
If the product has been successfully installed, the following is displayed: v For the 32-bit client on x86
idsldap-cltbase61-6.1.0-6 idsldap-clt32bit61-6.1.0-6 idsldap-cltjava61-6.1.0-6
v For the 64-bit client on System z or POWER

idsldap-cltbase61-6.1.0-6 idsldap-clt64bit61-6.1.0-6 idsldap-cltjava61-6.1.0-6
v For the 32-bit full server on x86:

idsldap-cltbase61-6.1.0-6 idsldap-clt32bit61-6.1.0-6 idsldap-cltjava61-6.1.0-66 idsldap-srvbase32bit61-6.1.0-6 idsldap-srv32bit61-6.1.0-6
v For the 64-bit full server on System z or POWER:

idsldap-cltbase61-6.1.0-6 idsldap-clt64bit61-6.1.0-6 idsldap-cltjava61-6.1.0-6 idsldap-srvbase64bit61-6.1.0-6 idsldap-srv64bit61-6.1.0-6
14. Install IBM Tivoli Directory Integrator, if required for your deployment. IBM Tivoli Directory Integrator is required if you have installed a Directory Server and want to use any of the following features: v The idssupport tool This tool gathers information from your system that you can supply to IBM Software Support if you encounter problems. v The idslogmgmt tool v Simple Network Management Protocol (SNMP) v Active Directory synchronization For more information: v For IBM Tivoli Directory Integrator installation instructions, see the installation information provided with the IBM Tivoli Directory Integrator CD. The IBM Tivoli Directory Integrator CD is included with the IBM Tivoli Access Manager for e-business CD bundle . v See the IBM Tivoli Directory Server Version 6.1 Problem Determination Guide for information on idssupport and idslogmgmt. v See the IBM Tivoli Directory Server version 6.1 Administration Guide for information on SNMP and Active Directory synchronization. 15. Configure the server instance using the instance administration tool, idsxinst. For instructions, see Creating an instance with the Instance Administration Tool on page 87. For detailed information, see the IBM Tivoli Directory Server Installation and Configuration Guide. 16. Define the LDAP administrator DN and password and then configure the database that will store the directory data. For instructions, see Configuring a directory server instance for IBM Tivoli Directory Server on page 87.
75
17. After completion of IBM Tivoli Directory Server installation, you must configure IBM Tivoli Directory Server for use with Tivoli Access Manager. For instructions, see page 100. 18. Use the IBM Global Security Kit (GSKit) iKeyman utility to enable SSL communication between your supported registry server and IBM Tivoli Directory Server clients. To do so, follow these steps: a. Set up the iKeyman utility. For instructions, see Setting up the GSKit iKeyman utility on page 315. b. Enable SSL with a supported registry server. For instructions, see Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 473. Note: For more information about using the iKeyman utility, see the IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide. 19. Optionally, you can install the Tivoli Directory Server proxy server. Note: You must obtain an additional license to use this feature. See License terms for Tivoli Directory Server on page 61. To install the proxy server for your deployment, enter:
rpm -ihv packages
Table 17 lists the packages required for each proxy server type. Install the packages for your server in the order specified. Notes: a. The Linux on System z proxy server is dependent on prior installation of the Linux on System z 64-bit client. b. The Linux on POWER proxy server is dependent on prior installation of the Linux on POWER 64-bit client.
Table 17. Proxy server packages for Linux platforms Server type Linux on x86 Packages 1. idsldap-srvbase32bit61-6.1.0-6.i386.rpm 2. idsldap-srvproxy32bit61-6.1.06.i386.rpm 3. idsldap-msg61.en-6.1.0-6.i386.rpm Linux on System z 1. idsldap-srvbase64bit61-6.1.06.s390x.rpm 1. Base server 2. 64-bit proxy server 3. English messages Package descriptions 1. Base server 2. 32-bit proxy server 3. English messages
2. idsldap-srvproxy64bit61-6.1.06.s390x.rpm 3. idsldap-msg61.en-6.1.0-6.s390.rpm Linux on POWER 1. idsldap-srvbase64bit61-6.1.06.ppc64.rpm 2. idsldap-srvproxy64bit61-6.1.06.ppc64.rpm 3. idsldap-msg61.en-6.1.0-6.ppc.rpm
1. Base server 2. 64-bit proxy server 3. English messages
After you install the Tivoli Directory Server proxy server, see Chapter 25, Setting up a Tivoli Directory Server proxy environment, on page 535 for an example scenario of the steps needed to setting up a Tivoli Directory Server proxy environment when using Tivoli Access Manager. 20. Optionally, you can install the Tivoli Directory Server White Pages.
76
Note: You must obtain an additional license to use this feature. See License terms for Tivoli Directory Server on page 61. For installation requirements and instructions, see the IBM Tivoli Directory Server White Pages document. After you set up IBM Tivoli Directory Server for use with Tivoli Access Manager, the next step is to set up the policy server. For instructions, see Chapter 4, Setting up a policy server, on page 137.
77
Solaris: Installing IBM Tivoli Directory Server

To set up an IBM Tivoli Directory Server system on Solaris using the pkgadd utility, follow these steps. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. Note: Install your registry server on a system separate from the policy server. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Perform preinstallation tasks as listed in Preinstallation requirements on page 54. 4. Mount the CD for your operating system: v IBM Tivoli Access Manager Directory Server for Solaris (1 of 2) v IBM Tivoli Access Manager Directory Server for Solaris on x86_64 (1 of 2) 5. Install IBM DB2. a. Use the db2_install utility. Run the script from the directory for your platform, where /cdrom/cdrom0 is the mount point for your CD: v Solaris
/cdrom/cdrom0/solaris/db2/db2_install
v Solaris on x86_64
/cdrom/cdrom0/solaris_x86/db2/db2_install
The suffix 99999 will be replaced by a number that is unique to your installation. 6. Mount the next CD for your operating system: v IBM Tivoli Access Manager Directory Server for Solaris (2 of 2) v IBM Tivoli Access Manager Directory Server for Solaris on x86_64 (2 of 2) 7. Apply the IBM DB2 license.
For example:
/opt/ibm/db2/V9.1/adm/db2licm -a /CD2_mount_point/common/db2ese.lic
/opt/ibm/db2/V9.1/adm/db2licm -n db2ese 101 force
78
8. Install the client packages of IBM Tivoli Directory Server for your platform: v Solaris
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault packages
v Solaris on x86_64
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault packages
Table 18 lists the packages required for each client type. Install the packages for your client in the order specified. Notes: a. The package names are the same for both the Solaris and Solaris on x86 operating systems. b. During installation, you are asked if you want to use /opt as the base directory. If space permits, accept /opt as the base directory. c. When you install client or server packages, the system might prompt you with the following query: This package contains scripts which will be executed with super-user permission during the process of installing the package. Continue with installation? Type y to continue. These scripts create the Tivoli Directory Server user ID.
Table 18. Client packages for Solaris Client type 32-bit client Packages 1. IDSlbc61 2. IDSl32c61 3. IDSljc61 64-bit client 1. IDSlbc61 2. IDSl64c61 3. IDSljc61 Package descriptions 1. Base client 2. 32-bit client 3. Java client 1. Base client 2. 32-bit client 3. Java client
9. Install the server packages of IBM Tivoli Directory Server for your platform: v Solaris
v Solaris on x86_64
Table 19 on page 80 lists the server packages. Install the packages in the order specified. Notes: a. The package names are the same for both Solaris platforms. b. During installation, you are asked if you want to use /opt as the base directory. If space permits, accept /opt as the base directory. c. When you install client or server packages, the system might prompt you with the following query: This package contains scripts which will be executed with super-user permission during the process of installing the package. Continue with installation? Type y to continue. These scripts create the Tivoli Directory Server user ID.
79
d. If you are installing a server package, you might also see the following prompt: Do you want to install these as setuid and/or setgid files? The programs need to be able to start daemons, run DB2 commands, and create the IBM Tivoli Directory Server DB2 instance user ID and group, so they occasionally need to run as root. Type y to continue.
Table 19. Server packages for Solaris Server 64-bit server Packages 1. IDSlbs61 2. IDSl64s61 3. IDSlen61 Package descriptions 1. Base server 2. 64-bit server 3. English messages
10. Install and configure the Web Administration Tool package of IBM Tivoli Directory Server. You must also install an application server. Complete the following steps: a. Install the Web Administration Tool package for your deployment. v Solaris
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault IDSlweb61
v Solaris on x86_64
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault IDSlweb61
b. Install an application server such as WebSphere Application Server. See Solaris: Installing WebSphere Application Server on page 336. c. Configure the Web Administration Tool into the application server. See Installing the Web Administration Tool into WebSphere on page 344. 11. Install IBM Global Security Kit (GSKit). Specify the package for your environment: v Solaris 32-bit
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault gsk7bas
v Solaris 64-bit
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault gsk7bas64
v Solaris on x86_64 32-bit

pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault gsk7bas

pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault gsk7bas64
Note: After you install GSKit, no configuration is necessary. 12. English messages are automatically installed with the IBM Tivoli Directory Server package. If you require a different language version of the message files and documentation, install them from the IBM Tivoli Access Manager Language Support for Solaris CD. For instructions, see Installing language support packages for IBM Tivoli Directory Server on page 39. 13. Install IBM Tivoli Directory Integrator, if required for your deployment.
80
IBM Tivoli Directory Integrator is required if you have installed a Directory Server and want to use any of the following features: v The idssupport tool This tool gathers information from your system that you can supply to IBM Software Support if you encounter problems. v The idslogmgmt tool v Simple Network Management Protocol (SNMP). v Active Directory synchronization For more information: v For IBM Tivoli Directory Integrator installation instructions, see the installation information provided with the IBM Tivoli Directory Integrator CD. The IBM Tivoli Directory Integrator CD is included with the IBM Tivoli Access Manager for e-business CD bundle . v See the IBM Tivoli Directory Server Version 6.1 Problem Determination Guide for information on idssupport and idslogmgmt. v See the IBM Tivoli Directory Server version 6.1 Administration Guide for information on SNMP and Active Directory synchronization. 14. After you install, you might need to update kernel parameters in the /etc/system file before you use the database. A utility called db2osconf is provided with some versions of DB2 for Solaris. The db2osconf utility determines the correct kernel settings for your computer. The command for configuring kernel parameters varies by operating system, hardware, and DB2 version. For more information, see the DB2 documentation. You can also search DB2 technotes for additional information. 15. Configure the server instance using the instance administration tool, idsxinst. For instructions, see Creating an instance with the Instance Administration Tool on page 87. For detailed information, see the IBM Tivoli Directory Server Installation and Configuration Guide. 16. Define the LDAP administrator DN and password and then configure the database that will store the directory data. For instructions, see Configuring a directory server instance for IBM Tivoli Directory Server on page 87. 17. After completion of IBM Tivoli Directory Server installation, you must configure IBM Tivoli Directory Server for use with Tivoli Access Manager. For instructions, see page 100. 18. Use the IBM Global Security Kit (GSKit) iKeyman utility to enable SSL communication between your supported registry server and IBM Tivoli Directory Server clients. To do so, follow these steps: a. Set up the iKeyman utility. For instructions, see Setting up the GSKit iKeyman utility on page 315. b. Enable SSL with a supported registry server. For instructions, see Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 473. Note: For more information about using the iKeyman utility, see the IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide. 19. Optionally, you can install the Tivoli Directory Server proxy server. Note: You must obtain an additional license to use this feature. See License terms for Tivoli Directory Server on page 61. To install the proxy server packages for your platform:
81
v Solaris
v Solaris on x86_64
Table 20 lists the server packages. Install the packages in the order specified. Notes: a. The package names are the same for both Solaris platforms. b. The proxy server requires the 64-bit client package.
Table 20. Proxy server packages for Solaris Server 64-bit proxy server Packages 1. IDSlbs61 2. IDSl64p61 3. IDSlen61 Package descriptions 1. Base server 2. Proxy server 3. English messages
After you install the Tivoli Directory Server proxy server, see Chapter 25, Setting up a Tivoli Directory Server proxy environment, on page 535 for an example scenario of the steps needed to setting up a Tivoli Directory Server proxy environment when using Tivoli Access Manager. 20. Optionally, you can install the Tivoli Directory Server White Pages. Note: You must obtain an additional license to use this feature. See License terms for Tivoli Directory Server on page 61. For installation requirements and instructions, see the IBM Tivoli Directory Server White Pages document. After you set up IBM Tivoli Directory Server for use with Tivoli Access Manager, the next step is to set up the policy server. For instructions, see Chapter 4, Setting up a policy server, on page 137.
82
Windows: Installing IBM Tivoli Directory Server

To install the IBM Tivoli Directory Server on Windows 2003, follow these steps. Note: Install your registry server on a system separate from the policy server. 1. Log on as any member of the Administrators group. (You are not required to log on with the user ID that you created for the DB2 database owner.) 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Stop any programs that are running and close all windows. If you have open windows, the initial installation window might be hidden behind other windows. 4. Insert the IBM Tivoli Access Manager Directory Server for Windows (2 of 3) CD. 5. Change directory to:
<CD-drive>:windows\tds
6. Double-click the install_tds.bat icon. If you prefer, you can use the command line to begin installation and specify a temporary directory other than the one specified by the TEMP environment variable. To use this option, go to:
and type the following at a command prompt:

install_tds.bat -is:tempdir directory
where directory is the directory you want to use for temporary space. Be sure that you have at least 255 MB of free space in this directory. If you are installing any of the corequisite products ( WebSphere Application Server, or DB2) be sure that you also have 150 MB in the directory specified by the TEMP environment variable. For example:
install_tds.bat -is:tempdir "c:\My Documents\temp"
The language window is displayed. Note: If the installation program exits without displaying the language window, it might be because there is not enough space in the directory specified by the TEMP environment variable or the directory you specified for temporary space. Be sure that you have at least 255 MB of free space in this directory. 7. Select the language you want to use during the installation. Click OK. 8. On the Welcome window, click Next. 9. After reading the Software license agreement, select I accept both the IBM and the non-IBM terms. Click Next. 10. If you have any components already installed, they are displayed with their corresponding version levels. Click Next. 11. To install in the default directory, click Next. You can specify a different directory by clicking Browse or typing the directory path you want. The directory will be created if it does not exist. (The default installation directory is C:\Program Files\IBM\LDAP\V6.1.)
83
Notes: a. If you have already installed one or more language packs, the installation location is set to the path where you installed the language packs, and you are not asked where you want to install. b. Be sure that the installation location is not the same as the path where another version of the client is installed. c. Do not use special characters, such as hyphen (-) and period (.) in the name of the installation directory. For example, use ldapdir rather than ldap-dir or ldap.dir. 12. Click Custom and then click Next. 13. A window showing the following components for installation is displayed: Attention: Do not select Tivoli Directory Integrator. See step 24 on page 86 for instructions on how to install Tivoli Directory Integrator. v Tivoli Global Security Kit v DB2 V9.1 v Embedded WebSphere Application Server v C Client 6.1 v Java Client 6.1 v Web Administration Tool 6.1 v Proxy Server 6.1 v Server 6.1 This window also indicates the amount of disk space required and available on the selected drive. Be sure the components you want to install are selected, and click Next. 14. If you selected the Web Administration Tool: v When the Web Administration Tool is installed, a Web application server is required to run the tool, and Embedded WebSphere Application Server 6.1.0.7 is installed and configured for you. If you want to use another WebSphere application server, you must select a Web application server. When Embedded WebSphere Application Server is installed and an application (such as the Web Administration tool) is installed into Embedded WebSphere Application Server, the Embedded WebSphere Application Server server for that application is also installed as a service. v The Web Administration Tool 6.1 requires a Web application server. If you selected Web Administration Tool 6.1 , but you did not select Embedded WebSphere Application Server, a window is displayed asking you to specify a Web application server into which to deploy the application. You can do one of the following: Click Detected WebSphere Application Servers and then select a WebSphere Application Server that is installed on the system and detected by the InstallShield GUI installation program. The application will be deployed into this version of WebSphere Application Server. Click Custom location of WebSphere Application Server to specify a path to a version of WebSphere Application Server in a different location. The application will be deployed into this version of WebSphere Application Server. Click Do not specify. I will manually deploy at a later time. You must deploy the application into a WebSphere Application Server before you can use the application.
84
15. If you selected Server 6.1 but not DB2 V9.1 and there are multiple versions of DB2 (such as versions 8 and 9) on the system, you are asked to select the version of DB2 you want to use with Tivoli Directory Server 6.1. 16. If you selected DB2 V9.1, a window is displayed prompting you to enter a Windows user ID and password for the DB2 system ID. On the window: a. Type the user ID. This user ID must not be the user ID you intend to use as the owner of the directory server instance. If you are not using an existing user ID, DB2 creates the user ID you specify with the password you type. This is the preferred method. If you are using an existing Windows user ID, it must be a member of the Administrators group. b. Type the password, and then type the password again for verification. (If you are using an existing Windows user ID, be sure that your password is correct. Otherwise, DB2 does not install correctly.) c. Click Next. Note: DB2 installs a version of GSKit that is a lower version than the version required by Tivoli Directory Server. DB2 installs the lower-level version of GSKit to the default location. Tivoli Directory Server installs the required level of GSKit over the DB2-installed GSKit in the default location. If you want to install GSKit somewhere besides the default location, you must install GSKit manually to the desired location before installing DB2. 17. If you selected Proxy Server 6.1, you must obtain an additional license, in order to use this feature. See License terms for Tivoli Directory Server on page 61. 18. The installation program now has enough information to begin installing. A summary window displays the components you selected and the locations where the selected components will be installed. Click Back to change any of your selections. Click Install to begin installation. If you are installing from CDs, you are prompted to insert different CDs during the installation. Be sure to follow the instructions carefully and insert the correct CDs. Note: After installation has begun, do not try to cancel the installation. If you inadvertently cancel the installation, see the information about recovering from a failed installation in the IBM Tivoli Directory Server version 6.1 Problem Determination Guide before you attempt to reinstall. 19. If you are asked if you want to restart your computer now or later, select the option you want and click Finish. v You might need to restart your system to complete the Tivoli Directory Server installation. If your computer is restarted, log in using the same user ID that you used to install Tivoli Directory Server. v If you installed DB2, the DB2 First Steps GUI might be started. You can go through the DB2 First Steps or close this GUI. 20. After completion of IBM Tivoli Directory Server configuration, you must configure IBM Tivoli Directory Server for use with Tivoli Access Manager. For instructions, see page 100. 21. Use the IBM Global Security Kit (GSKit) iKeyman utility to enable SSL communication between your supported registry server and IBM Tivoli Directory Server clients. To do so, follow these steps:
85
a. Set up the iKeyman utility. For instructions, see Setting up the GSKit iKeyman utility on page 315. b. Enable SSL with a supported registry server. For instructions, see Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 473. Note: For more information about using the iKeyman utility, see the IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide. 22. Apply the IBM DB2 license. (Insert the IBM Tivoli Access Manager Base for Windows CD if needed.)
path\db2licm -a drive\common\db2ese.lic
To install IBM Tivoli Directory Server on a multiprocessor machine, DB2 has special licensing that is based on the number of processors that will be used. In some cases, it might be necessary to run the DB2 command to force the licensing to allow multiple processors:
path\db2licm -n db2ese 101 force
23. Optionally, you can install the Tivoli Directory Server White Pages. Note: You must obtain an additional license to use this feature. See License terms for Tivoli Directory Server on page 61. For installation requirements and instructions, see the IBM Tivoli Directory Server White Pages document. 24. Install Tivoli Directory Integrator:Install IBM Tivoli Directory Integrator, if required for your deployment. IBM Tivoli Directory Integrator is required if you have installed a Directory Server and want to use any of the following features: v The idssupport tool This tool gathers information from your system that you can supply to IBM Software Support if you encounter problems. v The idslogmgmt tool v Simple Network Management Protocol (SNMP). v Active Directory synchronization For more information: v For IBM Tivoli Directory Integrator installation instructions, see the installation information provided with the IBM Tivoli Directory Integrator CD. The IBM Tivoli Directory Integrator CD is included with the IBM Tivoli Access Manager for e-business CD bundle . v See the IBM Tivoli Directory Server Version 6.1 Problem Determination Guide for information on idssupport and idslogmgmt. v See the IBM Tivoli Directory Server version 6.1 Administration Guide for information on SNMP and Active Directory synchronization. After you set up IBM Tivoli Directory Server for use with Tivoli Access Manager, the next step is to set up the policy server. For instructions, see Chapter 4, Setting up a policy server, on page 137.
86
Configuring a directory server instance for IBM Tivoli Directory Server

After you install the IBM Tivoli Directory Server components, you must perform the following tasks: 1. Create a directory server instance 2. Define the administrator DN and password for the instance 3. Configure the database for a directory server instance 4. Create a backup of the instance 5. Configure a suffix for the instance For complete IBM Tivoli Directory Server product documentation, visit: http://www.ibm.com/software/tivoli/products/directory-server The Tivoli Directory Server Instance Administration Tool is a graphical user interface (GUI) tool that you can use to create and manage directory server instances. An instance can also be created and managed from the command line.
Creating an instance with the Instance Administration Tool

You can use the Instance Administration Tool to create an instance in different ways: v Create a default instance with a default name and other settings. (SeeCreating the default instance.) v Create a new instance for which you specify all the settings. (SeeCreating a new instance for which you specify all settings on page 89.) Creating the default instance: You can create the default instance if you are not migrating a directory server instance from a previous version and you want to create a new directory server instance with default settings. This option is not available if you have already created a default directory server instance; you can create only one default instance. The default directory server instance has the following settings, which you cannot change: On Windows systems Name: idsinst Instance location: c:\idsslapd-idsinst Group name: Administrators Administrator DN: cn=root Database name: idsdb On AIX, Linux, Solaris, and HP-UX systems: Name: idsinst Instance location: /home/idsinst. (On Solaris systems, this directory is /export/home/idsinst.) Group name: dbsysadm Administrator DN: cn=root Database name: idsdb In addition, the o=sample suffix is created for the default directory server instance. You can add other suffixes later with the Configuration Tool or the idscfgsuf command. If these settings are too restrictive, choose another option. To create the default instance:
87
1. On AIX, Linux, Solaris, and HP-UX systems, log on as root. On Windows systems, log on with a user ID that is a member of the Administrators group. 2. If the Instance Administration Tool is not started, start it. v Windows
C:\Program Files\IBM\LDAP\V6.1\sbin\idsxinst
On Windows systems, you also can click Start Programs IBM Tivoli Directory Server 6.1 Instance Administration Tool. v AIX, Solaris, and HP-UX systems:
/opt/IBM/ldap/V6.1/sbin/idsxinst
Linux
/opt/ibm/ldap/V6.1/sbin/idsxinst
3. Click Create. 4. On the Create new directory server instance window: a. Click Create default instance. b. Click Next. 5. On the Default instance details window, complete the following fields: User password Type the password for the system user, idsinst, that will own the directory server instance. Encryption seed Type a string of characters that will be used as an encryption seed. The encryption seed must contain only printable ISO-8859-1 ASCII characters with values in the range of 33 to 126, and must be a minimum of 12 and a maximum of 1016 characters in length. For more information about what characters can be used, see the IBM Directory Server Version 6.1 Installation Guide. This encryption seed is used to generate a set of Advanced Encryption Standard (AES) secret key values. These values are stored in the directory server instance's directory key stash file and used to encrypt and decrypt directory stored password and secretkey attributes. Record the encryption seed in a secure location; you might need it if you export data to an LDIF file (the idsdb2ldif command) or regenerate the key stash file (the idsgendirksf command.) Administrator DN password The administrator DN for the default instance is cn=root. Type the password for the administrator DN. You must define a password. Passwords are case-sensitive. Double byte character set (DBCS) characters in the password are not valid. Record the password in a secure location for future reference. Click Next. 6. In the Verify settings window, information is displayed about the options you specified. To return to an earlier window and change information, click Back. To begin creating the directory server instance, click Finish. 7. The Results window is displayed, and messages are displayed while the directory server instance is being created. A completion message is displayed when instance creation is complete. Click OK to remove the message. 8. Click Close to close the window and return to the main window of the Instance Administration Tool.
88
9. If you have finished using the Instance Administration Tool, click Close to exit the tool. Note: After you create the default instance: v Start the server. See IBM Tivoli Directory Server Version 6.1 Installation Guide for information about starting the server. v If you have installed and configured the Web Administration Tool, start the WebSphere Application Server service or the Embedded WebSphere Application Server service. If you selected to use the Embedded WebSphere Application Server service, see the IBM Tivoli Directory Server Version 6.1 Installation Guide for more information about starting the WebSphere Application Server service. If you selected to use WebSphere Application Server, see the WebSphere Application Server documentation for more information about starting the WebSphere Application Server service: http://www-306.ibm.com/software/webservers/appserv/was/ library/ Creating a new instance for which you specify all settings: To create a new instance for which you specify all the settings with the Instance Administration Tool: 1. On AIX, Linux, Solaris, and HP-UX systems, log on as root. On Windows systems, log on with a user ID that is a member of the Administrators group. 2. If the Instance Administration Tool is not started, start it. v Windows
C:\Program Files\IBM\LDAP\V6.1\sbin\idsxinst
On Windows systems, you also can click Start Programs IBM Tivoli Directory Server 6.1 Instance Administration Tool. v v AIX, Solaris, and HP-UX systems:
/opt/IBM/ldap/V6.1/sbin/idsxinst
Linux
/opt/ibm/ldap/V6.1/sbin/idsxinst
3. Click Create. 4. On the Create a new directory server instance window, click Create a new directory server instance. 5. If you want the new directory server instance to be a proxy server instance, select the Set up as proxy check box. A proxy server does not have an associated database instance. 6. Click Next. 7. On the Instance details window, complete the following fields: User name Do one of the following: v If the user you want to own the directory server instance is an existing user on the system, select the system user ID of the user from the list. This name will also be the name of the directory server instance. If you want to change properties for the user, click Edit user. On the window that displays:
89
a. If you want to change the user's password, type the new password in the Password field. b. If you are on an AIX, Linux, Solaris, or HP-UX system and you want to change the home directory for the user, type the new home directory in the Home directory field. You can click Browse to locate the home directory. c. If you are on an AIX, Linux, Solaris, or HP-UX system and you want to change the user's primary group, type the new primary group in the Primary group field. d. Click Edit to save your changes. v If you want to create a new system user ID for the owner of the directory server instance, click Create user. On the window that displays: a. Type a name for the user in the User Name field. This name becomes the directory server instance name. The name of the new directory server instance must be unique; if there is already a directory server instance on the computer with the same name, you will receive an error message. b. Type the password for the user in the Password field. c. If you are on an AIX, Linux, Solaris, or HP-UX system: 1) Type the home directory for the user in the Home directory field. You can click Browse to locate the home directory. 2) Type the name of the user's primary group in the Primary group field. d. Click Create to create the user. Install location Type the location where the directory server instance files will be stored. Be sure that you have at least 30 MB of free disk space in this location. On Windows systems, this location is a drive, such as C:. The directory instance files will be stored on the drive you specify in the \idsslapd-instance_name directory. (instance_name is the name of the directory server instance.) On AIX, Linux, Solaris, and HP-UX systems, the default location for the instance files is in the directory instance owner's home directory, but you can specify a different path. Click Browse if you want to select a location. Encryption seed string Type a string of characters that will be used as an encryption seed. The encryption seed must contain only printable ISO-8859-1 ASCII characters with values in the range of 33 to 126, and must be a minimum of 12 and a maximum of 1016 characters in length. For more information about what characters can be used, see the IBM Directory Server Version 6.1 Installation Guide. This encryption seed is used to generate a set of Advanced Encryption Standard (AES) secret key values. These values are stored in the directory server instance's directory key stash file and used to encrypt and decrypt directory stored password and secretkey attributes.
90
Record the encryption seed in a secure location; you might need it if you export data to an LDIF file (the idsdb2ldif command) or regenerate the key stash file (the idsgendirksf command.) Confirm encryption seed Type the encryption seed string again for confirmation. Use encryption salt value Select this check box if you want to provide an encryption salt value. v If you are migrating and you want the directory server instance to be cryptographically synchronized with the same directory server instances as the instance you are migrating, check this box and then complete the Encryption salt string and Confirm encryption salt string fields. v If you are creating a new directory server instance and you want the new directory server instance to be cryptographically synchronized with other directory server instances, check this box and then specify the same encryption salt string that the other directory server instances have. If you clear the check box, the Instance Administration Tool generates an encryption salt string value randomly. Encryption salt string If you want to provide an encryption salt string, type the value. The encryption salt is used, along with the encryption seed, to generate two-way Advanced Encryption Standard (AES) encryption keys that are stored in key stash files. These values are used to encrypt and decrypt directory stored password and secretkey attributes. If you want to use replication, use a distributed directory, or import and export LDIF data between server instances, you can obtain better performance if the directory server instances have the same encryption salt value. Therefore, if the directory server instance you are creating or migrating will be used in one of these ways, set the encryption salt value to the encryption salt value of the directory server instances with which it will be involved in these activities. You can obtain the destination server's salt value by searching (using the ldapsearch utility) the destination server's 'cn=crypto,cn=localhost' entry. The attribute type is ibm-slapdCryptoSalt. The encryption salt must contain only printable ISO-8859-1 ASCII characters with values in the range of 33 to 126, and must be exactly 12 characters in length.For more information about what characters can be used, see the IBM Directory Server Version 6.1 Installation Guide. Confirm encryption salt string Type the encryption salt string again for confirmation. Instance description Optionally, type a description of the directory server instance. This description is displayed in other windows to help identify the instance. Click Next.
91
8. If the DB2 instance details window is displayed, either accept the name that is displayed in the DB2 instance name field, or type or select a different name for the DB2 instance, and then click Next. By default, the DB2 instance name is the same as the name of the directory server instance, but you can specify a different name for the DB2 instance. If you specify a different name, there must be a system user ID by the same name. This name cannot be already associated with another directory server instance. 9. On the TCP/IP settings for multihomed hosts window, do one of the following: v If you want the directory server instance to listen on all IP addresses, select the Listen on all configured IP addresses check box. v If you want the directory server instance to listen on a particular set of IP addresses that are configured on the computer, clear the Listen on all configured IP addresses check box. Then select the IP address or addresses in the list that you want the directory server instance to listen on. Click Next. 10. On the TCP/IP port settings window, complete the following fields: Server port number Type the number of the port you want the server to use as its contact port. The number must be between 1 and 65535. Server secure port number Type the number of the port you want the server to use as its secure port. The number must be between 1 and 65535. Admin daemon port number Type the number of the port you want the administration daemon to use as its port. The number must be between 1 and 65535. Admin daemon secure port number Type the number of the port you want the administration daemon to use as its secure port. The number must be between 1 and 65535. Notes: a. If you have two or more directory server instances listening on the same IP address (or set of IP addresses), be sure that those directory server instances do not use any of the same port numbers. b. On AIX, Linux, Solaris, and HP-UX systems, port numbers below 1000 can be used only by root. Click Next. 11. If the Optional steps window is displayed: a. Select Configure admin DN and password if you want to configure the administrator DN and password for the directory server instance now. (The administrator DN and password are required for both proxy servers and full servers.) b. Select Configure database if you want to configure the database for the directory server instance now. (A proxy server instance does not require a database.) When you configure the database, the Instance Administration Tool adds information about the database that will be used to store directory data to the configuration file (ibmslapd.conf) for the directory server instance. In addition, if the database does not already exist, the Instance Administration Tool creates the database.
92
Click Next. Note: You can use the Configuration Tool or the command line later if you do not want to set the administrator DN or configure the database now, but you cannot use the directory server instance until you have done these steps. 12. If the Configure administrator DN and password window is displayed: a. In the Administrator DN field, type a valid DN (or accept the default DN, cn=root). The administrator DN is the DN used by the administrator of the directory server instance. This administrator is the one user who has full access to all data in the directory. The default DN is cn=root. DNs are not case sensitive. If you are unfamiliar with LDAP DN format, or if for any other reason you do not want to define a new DN, accept the default DN. b. Type the password for the administrator DN in the Administrator Password field. You must define a password. Passwords are case-sensitive. Double byte character set (DBCS) characters in the password are not valid. Record the password in a secure location for future reference. c. Retype the password in the Confirm password field. d. Click Next. 13. If the Configure database window is displayed: a. Type a valid DB2 administrator ID in the Database user name field. This ID must already exist and must have the proper authority before you can configure the database. Note: Before server startup, this user must have the locale set to the correct locale for the language in which you want server messages to be displayed. If necessary, log in as the user and change the locale to the correct one. b. Type the password for the user in the Password field. Passwords are case-sensitive. Note: If you change the system password for the DB2 administrator, you cannot update it through the Instance Administration Tool. You must use the Configuration Tool or the idscfgdb command with the -w option. See the IBM Tivoli Directory Server Version 6.1 Installation Guide for more information. c. Type the name you want to give the DB2 database in the Database name field. The name can be from 1 to 8 characters long. d. Click Next. 14. If the Database options window is displayed: a. Type the location for the database in the Database install location field. For Windows platforms, this must be a drive letter. For non-Windows platforms, the location must be a directory name, such as /home/ldapdb. (You can click Browse to locate a directory.) Be sure that you have at least 80 MB of free hard disk space in the location you specify and that additional disk space is available to accommodate growth as new entries are added to the directory. b. In the Character-set option box:
93
1) Click the type of database you want to create. Click one of the following: v Create a universal DB2 database (UTF-8/UCS-2) to create a UCS Transformation Format (UTF-8) database, in which LDAP clients can store UTF-8 character data. v Create a local codepage DB2 database to create a database in the local code page. Create a universal database if you plan to store data in multiple languages in the directory. A universal database is also most efficient because less data translation is needed. If you want to use language tags, the database must be a UTF-8 database. For more information about UTF-8, see the IBM Tivoli Directory Server Version 6.1 Installation Guide. c. Click Next. 15. In the Verify settings window, information is displayed about the options you specified. To return to an earlier window and change information, click Back. To begin creating the directory server instance, click Finish. 16. The Results window is displayed, and messages are displayed while the instance is being created. A completion message is displayed when instance creation is complete. Click OK to remove the message. 17. Click Close to close the window and return to the main window of the Instance Administration Tool. 18. If you have finished using the Instance Administration Tool, click Close to exit the tool. Note: After you set the administrator DN and password and, for a full server, configure the database: v Start the server. See IBM Tivoli Directory Server Version 6.1 Installation Guide for instructions. v If you have installed and configured the Web Administration Tool, start the WebSphere Application Server service or the Embedded WebSphere Application Server service. If you selected to use the Embedded WebSphere Application Server service, see the IBM Tivoli Directory Server Version 6.1 Installation Guide for instructions. If you selected to use WebSphere Application Server, see the WebSphere Application Server documentation for instructions: http://www-306.ibm.com/software/webservers/appserv/was/ library/ Note: After you set the administrator DN and password and, for a full server, configure the database, see the IBM Tivoli Directory Server Version 6.1 Installation Guide for information about: v Starting the server v Starting the Embedded WebSphere Application Server service if you have installed and configured the Web Administration Tool. You can find information about using the Web Administration Tool in the IBM Tivoli Directory Server Version 6.1 Installation Guide. Creating an instance with the command line: You can use the idsicrt command to create an instance.
94
For example, using the idsicrt command: v To create a new directory server instance called myinst that has a port of 389, a secure port of 636, an encryption seed of mysecretkey!, an encryption salt of mysecretsalt, and a DB2 instance with the name myinst, issue the command:
idsicrt -I myinst p 389 s 636 e mysecretkey! -g mysecretsalt
If the directory server instance already existed, this command would fail. If you did not specify the encryption salt, the command would randomly generate an encryption salt. If you did not specify the encryption seed, you would be prompted for the seed. In the following example, you are prompted to enter an encryption seed. The encryption seed is not displayed on the command line when you enter it. After you type the encryption seed and press Enter, the command attempts to create the directory server instance.
idsicrt -I myinst p 389 s 636
The response is:

Enter encryption seed:
v To create the same instance so that it binds to a particular IP address, issue the command:
idsicrt I myinst p 389 s 636 e mysecretkey! -g mysecretsalt i 1.9.86.566
v To create a new directory server instance called myinst that has a port of 389, a secure port of 636, an encryption seed of mysecretkey!, and a DB2 instance with the name mydbin, use the following command:
idsicrt -I myinst p 389 s 636 e mysecretkey! t mydbin
In this case, the command will randomly generate an encryption salt value. Note: After you create the directory server instance with the idsicrt command, use the idsdnpw command to set the administrator DN and password. See Using the command line on page 96. If the directory server instance is a full server, configure the database using the idscfgdb command line utility. See Configuring the database with the command line on page 98. See the IBM Tivoli Directory Server 6.1 Command Reference for more information about using the idsicrt commands.
Migrating an instance
You can migrate a directory server instance from a previous version of IBM Tivoli Directory Server to a 6.1 directory server instance. If you are migrating from a version that is before 6.0, you must have already backed up the configuration and schema files. v To migrate a 6.0 directory server instance: 1. If the Instance Administration Tool is not started, start it. 2. Select the 6.0 directory server instance you want to migrate in the list, and click Migrate. 3. In the Migrate directory server instance window, click Migrate. Messages are displayed while the directory server instance is being migrated. A completion message is displayed when migration is complete. Click OK to remove the message.
95
v To 1. 2. 3.
Click Close to close the window and return to the main window of the Instance Administration Tool. If you have finished using the Instance Administration Tool, click Close to exit the tool. migrate a directory server instance from a version before 6.0: If the Instance Administration Tool is not started, start it. Click Create. Click Migrate from a previous version of directory server. Then type the path where you backed up the configuration and schema files from the previous version and click Next.
Messages are displayed while the directory server instance is being migrated. A completion message is displayed when migration is complete. Click OK to remove the message. 4. Click Close to close the window and return to the main window of the Instance Administration Tool. If you have finished using the Instance Administration Tool, click Close to exit the tool.
Setting the administrator DN and password for a directory instance

The administrator DN and password associated with a directory server instance can be set or changed using either the IBM Tivoli Directory Server Configuration Tool or the command line. If you configured the administrator DN and password during the creation of the directory server instance, as described in Creating an instance with the Instance Administration Tool on page 87, you can skip this section. Using the Configuration Tool: To set or change the administrator DN and password associated with a directory server instance using the Configuration Tool: 1. On UNIX and Linux systems, log on as root. On Windows systems, log on with a user ID that is a member of the Administrators group. 2. Start the Configuration Tool by entering the following command:
idsxcfg
3. Click Manage administrator DN in the navigation pane. 4. Specify a valid DN, such as cn=root, in the Administrator DN field and click OK. The administrator DN is the DN used by the administrator of the directory server instance. This administrator is the one user who has full access to all data in the directory. If you are unfamiliar with X.500 format, or if for any other reason you do not want to define a new DN, accept the default DN. 5. Click Manage administrator password in the navigation pane. 6. Specify the password in both the Administrator password and Confirm password fields. Click OK. Passwords are case-sensitive and cannot contain double byte character set (DBCS) characters. Record the password in a secure location for future reference. Using the command line: You can use the idsdnpw command to change the administrator DN and password for a directory server instance. The command can be run only when the directory server instance is not running. The primary administrator specifies an administrator password and, optionally, an administrator
96
DN, which the utility writes to the ibmslapd.conf file for the directory server instance. The administrator DN is set to cn=root by default. For example: To set the administrator DN to cn=myname and the password to secret on a computer with only one directory server instance, issue the command:
idsdnpw u cn=myname p secret
If the password is not specified, you are prompted for the password. The password is not displayed on the command line when you type it. Note: If the administration password policy has been enabled, the administrator's password must conform to the administration password policy requirements. See the IBM Tivoli Directory Server Version 6.1 Administration Guide for information about the password policy. See the IBM Tivoli Directory Server Version 6.1 Command Reference for detailed information about the idsdnpw command.
Configuring the database for a directory instance

The database associated with a directory server instance can be set using either the IBM Tivoli Directory Server Configuration Tool or the command line. If you configured and created the database during the creation of the directory server instance, as described in Creating an instance with the Instance Administration Tool on page 87, you can skip this section. When you configure the database, information about the database is added to the ibmslapd.conf configuration file for the directory server instance. If the database does not already exist, the database is created.
Before performing this task: v Ensure that the directory server is stopped. v Verify that the DB2COMM environment variable is not set. Note: This option is not available if you are configuring a proxy server or if you have not installed the full server on the system. Configuring the database with the Configuration Tool: To configure a database for the directory server instance: 1. Stop the server if it is running. 2. In the Configuration Tool, click Configure database in the task list on the left. 3. If a database user name is requested: a. Type a user ID in the Database user name field. This user ID owns the database that is used by the directory instance, and the directory server instance uses this user ID to connect to the database. The user ID must already exist before you can configure the database. b. Type a password for the user in the Password field. Passwords are case-sensitive.
97
c. In the Database name field, type the name you want to give the DB2 database that is used by the directory server instance to store directory data. The name can be from 1 to 8 characters long. d. Click Next. 4. If the database installation location is requested: a. Type the location for the database in the Database install location field. For Windows platforms, this location must be a drive letter. For AIX, Linux, Solaris, and HP-UX platforms, the location must be a directory name, such as /home/ldapdb, and you can click Browse to locate the directory. Be sure that you have at least 80 MB of free hard disk space in the location you specify and that additional disk space is available to accommodate growth as new entries are added to the directory. b. Click the type of database you want to create. You can create a UCS Transformation Format (UTF-8) database, in which LDAP clients can store UTF-8 character data, or a local code page database, which is a database in the local code page. Create a universal database if you plan to store data in multiple languages in the directory. A universal database is also most efficient because less data translation is needed. If you want to use language tags, the database must be a UTF-8 database. c. Click Finish. 5. Messages are displayed while the database is being configured. Click Close when database configuration is complete. Configuring the database with the command line: You can use the idscfgdb command to configure a database for a directory server instance. This command cannot be used for a proxy server instance. The idsicrt command must have already run successfully to create the database instance. In addition, the database instance owner must be set up correctly. Otherwise, the command fails. The directory server instance owner specifies a database administrator user ID, a database administrator password, the location to store the database, and the name of the database. The database administrator ID specified must already exist on the system. By using the -w option, you can reset the password for the database administrator and the change log database owner in the configuration file for the directory server instance. After successfully creating the database, the command adds information about the database to the ibmslapd.conf file of the directory server instance. The database and local loopback settings are created, if they do not exist. You can specify whether to create the database as a local codepage database or as a UTF-8 database, which is the default. Attention: 1. Before configuring the database, be sure that the environment variable DB2COMM is not set. 2. The server must be stopped before you configure the database. For example:
98
To configure a database called ldapdb for directory server instance ldapdb in the location /home/ldapdb with a DB2 database administrator ID of ldapdb whose password is secret, issue the command:
idscfgdb -I ldapdb a ldapdb w secret t ldapdb l /home/ldapdb
If the password is not specified, you are prompted for the password. The password is not displayed on the command line when you type it. See the IBM Tivoli Directory Server Version 6.1 Command Reference for detailed information about the idscfgdb command.
Creating a backup of a directory instance

After you create a directory server instance and configure the database, create a backup of the instance. The configuration and directory key stash files are archived along with the associated configuration and directory data. You can then restore the key stash files, if necessary. Using the Configuration Tool: To back up the database: 1. On UNIX and Linux systems, log on as root. On Windows systems, log on with a user ID that is a member of the Administrators group. 2. Ensure that the directory server is stopped. 3. Start the Configuration Tool by entering the following command:
idsxcfg
4. In the Configuration Tool, click Backup database from the navigation pane. 5. In the Backup database window, in the Backup directory field, type the directory path in which to back up all directory data and configuration settings. Or, click Browse to locate and select an existing directory path. 6. Select one of the following: v Create backup directory as needed if you want the directory to be created if it does not exist. v Halt if backup directory is not found if you do not want the directory you specified to be created. If this directory does not exist and you select this option, the database will not be backed up. 7. Click Backup. Using the command line: You can use the idsdbback command to back up the database. For information, see the IBM Tivoli Directory Server version 6.1 Command Reference. Use the idsdbrestore command to restore a directory server instance from a backup copy.
Configuring a suffix for a directory instance

Before adding a suffix, ensure that the directory server is stopped. Using the Configuration Tool: To add a suffix for a directory server instance using the Configuration Tool, do the following. 1. On UNIX and Linux systems, log on as root. On Windows systems, log on with a user ID that is a member of the Administrators group. 2. Ensure that the directory server is stopped. 3. Start the Configuration Tool by entering the following command:
idsxcfg
99
4. In the Configuration Tool, click Manage suffixes in the navigation pane. This option is not available if you are configuring a proxy server or if you have not installed the full server on the system. 5. In the Manage suffixes window, enter the suffix that you want to add in the SuffixDN field, and click Add. 6. When you have added all the suffixes you want, click OK. Note: When you click Add, the suffix is added to the list in the current suffix DNs box. However, the suffix is not actually added to the directory until you click OK. Using the command line: To add a suffix for a directory server instance using the command line: Use the idscfgsuf command to configure a suffix for a directory server instance. The suffix is added to the directory server instance's ibmslapd.conf file. When there is more than one directory server instance, you must specify the name of the directory server instance. For example: v To configure the suffix o=sample, enter:
idscfgsuf -s o=sample
v To configure the suffix o=sample for the instance my_instance, enter:

idscfgsuf -I my_instance -s o=sample
To unconfigure the suffix, use the idsucfgsuf comand. For more information about idscfgsuf and idsucfgsuf, see the IBM Tivoli Directory Server Version 6.1 Command Reference.
Configuring IBM Tivoli Directory Server for Tivoli Access Manager

You can configure IBM Tivoli Directory Server as the Tivoli Access Manager registry. You can configure IBM Tivoli Directory Server for Tivoli Access Manager either by using the Web Administration Tool or by using the command line. v Using the Web Administration Tool on page 101 v Using the command line on page 104 Notes: 1. If you used the install_ldap_server wizard to install and configure the IBM Tivoli Directory Server, skip the instructions in this section. The installation wizard configures the IBM Tivoli Directory Server automatically. 2. For complete IBM Tivoli Directory Server product documentation, see: http://www.ibm.com/software/tivoli/products/directory-server
100
Attention You can use the Web Administration Tool or the command line to perform configuration. The Web Administration Tool enables you to administer IBM Tivoli Directory servers either locally or remotely. The Web Administration Tool is backward-compatible and works with IBM Tivoli Directory Server, Version 4.1, 5.1, 5.2 and 6.0. If you want to use the Web Administration Tool but have not installed it yet, follow these steps. 1. Install IBM WebSphere Application Server. For instructions, see page 333. 2. Install the IBM Tivoli Directory Server Web Administration Tool and configure this application into your WebSphere configuration. For instructions, see page 338.
Using the Web Administration Tool

To use the Web Administration Tool to configure IBM Tivoli Directory Server for Tivoli Access Manager, follow these steps: 1. Ensure that the IBM Tivoli Directory Server is installed and that the following conditions are met: v You have set the administrator DN (cn=root) and password to be able to start a given server. You were prompted for this information during configuration of the IBM Tivoli Directory Server. v You must have configured a database to be able to start a given server in a state other than configuration only mode. v You must have the administration daemon running to be able to start, stop, or restart a given server remotely. To do so: On UNIX or Linux systems, issue the following command:
ibmdiradm
On Windows systems, click Start Control Panel Administrative Tools Services. Right-click IBM Directory Admin Daemon and then select Start. 2. Start the Web Administration Tool. To do so, go to the directory where you installed WebSphere Application Server and issue one of the following commands: v On UNIX or Linux systems:
/opt/IBM/WebSphereAppServer/bin/startServer.sh server1
or
/opt/WebSphere/AppServer/bin/startServer.sh server1
C:\Program Files\IBM\WebSphere\AppServer\bin\startServer.bat server1
3. To display the login page, open a Web browser and type the following address:
http://localhost:12100/IDSWebApp/IDSjsp/Login.jsp
where localhost is the host name or IP address of a system where the Web Administration Tool is installed, and 12100 is the port configured for the WebSphere Application Server. The IBM Tivoli Directory Server Web Administration Tool login page is displayed. 4. Set up the Web Administration Tool:
101
v If you have already set up the Web Administration Tool, skip to step 7 on page 103. v If you have not set up the Web Administration Tool previously, follow these steps: a. From the IBM Tivoli Directory Server Web Administration Tool login page, log in as the console administrator by specifying the default user name and password as follows: LDAP Hostname: Username: Password: Console Admin superadmin secret
Click Login to continue. The IBM Tivoli Directory Server Web Administration Tool console is displayed as follows:
Note: After initial setup of the Web Administration Tool, you will be able to log in to the console using the LDAP host name or IP address of your IBM Tivoli Directory Server machine. b. Console administration tasks are displayed on the left. To add your server, select Manage console servers and then click the Add button in the right pane. c. From the Add server window, complete the following fields and then click OK. Hostname: Type the host name or IP address of the machine where IBM Tivoli Directory Server is installed. Port: The port is already provided (389). If you changed this port number during the configuration of the LDAP server, modify this value accordingly. Administration port: The port is already provided (3538). SSL enabled: Do not enable SSL at this time. After SSL has been setup between the Web Administration Tool and the directory server, you can enable SSL. If you enable SSL without properly enabling SSL on the server, you will not be able to log on and perform server administration tasks.
102
Information on enabling SSL can be found in Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 473. The Manage console servers pane is displayed with the server information. 5. Select Log out to log off the server. 6. From the Logout successful window, click the re-login by clicking here link to return to the IBM Tivoli Directory Server Web Administration login page. 7. You are now ready to administer the server using this console. To do so, follow these steps: a. Log in by selecting the LDAP host name or IP address for your machine from the drop-down menu. b. Type the administration DN (cn=root is the default value). c. Type the associated DN password that you created during configuration of the IBM Tivoli Directory Server and then click Login. The IBM Tivoli Directory Server Web Administration Tool console is displayed:
Note: Server management tasks vary depending upon the capabilities of the server. 8. To verify that the IBM Tivoli Directory Server is running, click Server administration View server status in the left navigation pane. If your server is stopped, click Start/stop/restart server from the left navigation pane and then click the Start button to start the server. A message is displayed when the server successfully starts or stops. 9. To create a suffix, select Server Administration Manage server properties Suffixes from the left navigation pane. The Suffixes window is displayed. 10. To create the suffix where Tivoli Access Manager maintains its metadata, select Server administration Manager server properties from the left navigation pane. From the Manage server properties window, select the Suffixes tab. Type the desired suffix DN: Note: The suffix DN is not case-sensitive.
103
v To use the default location for the metadata, type:

secAuthority=Default
v To create a different location for the metadata, type:

secAuthority=<domain_name>
where domain_name is the desired management domain name. v To specify a location for the metadata that is not a stand-alone suffix, make sure desired location already exists in the LDAP server before specifying the location. The suffix is displayed in the Current suffix DNs table in the pane. 11. Click Add. 12. At this point, you can create additional suffixes to maintain user and group definitions. Note: For more information about how to add suffixes, click the Help icon in the upper-right pane of the window. The maximum is 1000 characters for a suffix. 13. Click OK to save changes. 14. When you have finished adding suffixes, select Server administration Start/stop/restart server from the left navigation pane and then click the Restart button to restart the server. A status message is displayed when the server is restarted successfully. 15. Do one of the following: v If you did not add any suffixes other than secAuthority=Default, click Logout to close the IBM Directory Server Web Administration Tool window. A directory entry for secAuthority=Default is automatically added when the policy server is configured. v If you added suffixes other than secAuthority=Default, you must add an entry to the directory for each suffix. To do so, select Directory management Add an entry in the left navigation pane. When you have completed adding directory entries for the suffixes you created, click Finish and then click Logout to close the IBM Directory Server Web Administration Tool window. Note: If you enable SSL communication, the directory administration daemon must be stopped and restarted for SSL to take effect.
Using the command line

To configure IBM Tivoli Directory Server as your Tivoli Access Manager registry, follow these basic steps. Note: For detailed information about adding suffixes and directory entries, consult the IBM Tivoli Directory Server documentation. 1. Create the suffix where Tivoli Access Manager maintains its metadata as follows:
idscfgsuf -s "secAuthority=<domain_name>"
where domain_name is the desired management domain name. The default suffix is Default; for example:
idscfgsuf -s "secAuthority=Default"
104
If you specify a location for the metadata that is not a stand-alone suffix, make sure the desired location already exists in the LDAP server before specifying the location. This suffix is added to the ibmslapd.conf file for the default instance. If you have more than one instance, specify the instance name using the -I option. At this point, you can create additional suffixes to maintain user and group definitions. For example:
idscfgsuf -s "c=US"
2. Start the LDAP server as follows: UNIX or Linux

ibmdiradm& ibmslapd&
Windows From the Services window, start the following services:

IBM Tivoli Directory Server Admin Daemon V6.1 - instance_name IBM Tivoli Directory Server Instance V6.1 - instance_name
3. Add entries for the suffixes you just created. For each new suffix (other than secAuthority=Default), create a file, add suffix entry information, and then run the idsldapadd command. For example, create a file named addcus with the following contents:
dn: c=us objectclass: top objectclass: country c: us
Then run the following command:

idsldapadd -h host -D cn=root -w pwd -v -f addcus
where: host cn=root The default LDAP Administrator DN. If a different DN is used, specify it here. pwd The password for the LDAP Administrator specified. Specifies the host name or IP address of the LDAP system.
After you set up the Tivoli Directory Server for use with Tivoli Access Manager, you can either set up a Tivoli Directory Server proxy server (see Setting up IBM Tivoli Directory Server on page 54) or set up the policy server (see Chapter 4, Setting up a policy server, on page 137.)
Setting up IBM z/OS LDAP Server

This section describes the configuration steps necessary to prepare the LDAP server on z/OS for Tivoli Access Manager. Particular emphasis is given to configuring Tivoli Access Manager against a IBM z/OS LDAP Server that has been configured to use its native authentication facility. This native authentication facility uses a System Authorization Facility (SAF) registry. These guidelines assume a new LDAP server instance dedicated to the Tivoli Access Manager registry. For more information, consult the LDAP Server Administration and Use manual for your particular release of z/OS. This document is available through the z/OS library at:
105
http://www.ibm.com/servers/eserver/System z/zos/bkserv/ This section includes the following topics: v v v v Updating schema files Adding suffixes Configuring Tivoli Access Manager for LDAP Native authentication user administration on page 107
Updating schema files

You must update the z/OS schema to support the current version of Tivoli Access Manager. This must be done following the application of the schema.user.ldif and schema.IBM.ldif files supplied with z/OS LDAP server. For instructions on applying these schema files, see the IBM z/OS LDAP Server Administration and Use documentation at: http://www.ibm.com/servers/eserver/System z/zos/bkserv/ To apply the Tivoli Access Manager schema to the z/OS LDAP server, use the ivrgy_tool utility. For instructions, see ivrgy_tool on page 569.
Adding suffixes
Tivoli Access Manager requires that you create a suffix which maintains Tivoli Access Manager metadata. You must add this suffix only once, when you first configure the LDAP server. This suffix enables Tivoli Access Manager to easily locate and manage the data. It also secures access to the data, avoiding integrity or corruption problems. For more information about management domains, and creating a location for the metadata, see Tivoli Access Manager management domains on page 138 and Creating a management domain location (example) on page 139. To add suffixes to the LDAP servers slapd.conf file, consult the LDAP Server Administration and Use manual at: http://www.ibm.com/servers/eserver/System z/zos/bkserv/ Note: Restart the LDAP server for changes to take effect. If you decide to add suffixes after the Tivoli Access Manager policy server has been configured, you must apply the appropriate ACLs to the newly created suffix. You can use the ivrgy-tool to apply the ACLs to the new suffix. For more information about the ivrgy-tool, see ivrgy_tool on page 569. See the z/OS LDAP Server Administration and Use Guide for details on updating the security server configuration file.
Configuring Tivoli Access Manager for LDAP

By default, Tivoli Access Manager processes all defined LDAP suffixes. If there are suffixes defined on the LDAP server that should not be used by Tivoli Access Manager, add them to the /access_mgr_install_dir/etc/ldap.conf file using the ignore-suffix keyword when configuring Tivoli Access Manager for LDAP on z/OS.
106
For example:
ignore-suffix = sysplex=UTCPLXJ8 ignore-suffix = "o=Your Company" ignore-suffix = o=MQuser
In this example, the sysplex=UTCPLXJ8 suffix is used to access the z/OS SDBM (RACF) database. The LDAP administrator ID used by Tivoli Access Manager during configuration is not a RACF user ID on the z/OS system, and, therefore, does not have the authority to do SDBM searches. If this suffix was not added to the ignore-suffix list, Tivoli Access Manager would receive a return code x32 LDAP_INSUFFICIENT_ACCESS, during configuration. The other suffixes in the list are used by other applications on z/OS, and can be ignored by Tivoli Access Manager. Note that Tivoli Access Manager supports LDAP failover and load-balancing for read operations. If you configured a replica server, you can provide the replica host name to Tivoli Access Manager in the ldap.conf file, which is installed with Tivoli Access Manager in the etc subdirectory.
Native authentication user administration

The majority of administrative tasks remain unchanged with the addition of native authentication. Operations such as user create, user show, adding a user to an ACL entry or group, and all user modify commands (except password) work the same as Tivoli Access Manager configured against any other LDAP registry. Users can change their own SAF passwords with the Web-based pkmspasswd utility. Native authentication provides the added feature of many-to-one mapping of Tivoli Access Manager users to SAF user IDs. Multiple users can have the same ibm-nativeId, and all bind with the same password. For this reason, prevent many-to-one mapped users from changing the SAF password (otherwise there is an increased risk that users might inadvertently lock their peers out of their accounts).
pdadmin pdadmin pdadmin pdadmin sec_master> sec_master> sec_master> sec_master> group modify SAFusers add user1 acl create deny_pkms acl modify deny_pkms set group SAFusers T acl attach /Webseal/server_name/pkmspasswd deny_pkms
Furthermore, there is no out-of-the-box administration command to set the ibm-nativeId entry for a user. To that end, the following instructions assist the management of Tivoli Access Manager users with an associated nativeId. The user create command does not change:
pdadmin sec_master> user create user1 cn=user1,o=tivoli,c=us user1 user1 ChangeMe1 pdadmin sec_master> user modify user1 account-valid yes
The password (ChangeMe1, in this example) is set to the users userpassword entry in LDAP, which has no effect with native authentication enabled. In production environments, use the utility program provided with the z/OS LDAP Server to remove userpassword values from LDAP. This prevents password access if native authentication is inadvertently disabled. To set the ibm-nativeId entry for a user, create an ldif file, called a schema file, similar to the following:
107
dn: cn=user1,o=tivoli,c=us changetype: modify objectclass: ibm-nativeAuthentication ibm-nativeId: SAF_username
You can load the ldif file using the ldapmodify command on z/OS as follows:
ldapmodify -h host_name -p port -D bind_DN -w bind_pwd -f schema_file
Note: to run the idsldapmodify from an Tivoli Directory Server client on a distributed system, the format of the ldif file changes slightly to:
dn: cn=user1,o=tivoli,c=us objectclass: inetOrgPerson objectclass: ibm-nativeAuthentication ibm-nativeId: SAF_username
The SAF command to reset a users password is as follows:

ALTUSER SAF_username PASSWORD(new_password)
In addition to resetting the password, the command marks the password as expired, which requires the password to be changed during the next login. If desired, the NOEXPIRED option can be added to the command to prevent that behavior. Note: The SAF_username must be defined as a z/OS Unix System Services user. That is, the SAF_username must be defined on z/OS with an OMVS segment. The following is an example of a SAF command to define SAF_username as a UNIX System Services user:
altuser SAF_username omvs(home(/u/SAF_username) program(/bin/sh) uid(123456))
Note that to use native authentication, you must turn off the auth-using-compare stanza entry. To do so, edit the [ldap] stanza of the ivmgrd.conf and webseald.conf file and change the line as follows:
auth-using-compare = no
By default, authentications to LDAP are made with a compare operation, rather than a bind. For more information on setting up native authentication, see the IBM z/OS LDAP Server Administration and Use documentation at: http://www.ibm.com/servers/eserver/System z/zos/bkserv/ After you configure the IBM z/OS LDAP Server for use with Tivoli Access Manager, the next step is to set up the policy server. For instructions, see Chapter 4, Setting up a policy server, on page 137.
Setting up Lotus Domino

This section contains the following topics: 1. Creating a Tivoli Access Manager administrative user for Domino (versions 6.5, 7.0.1, 7.0.2, and 8.0) on page 110 2. Installing a Lotus Notes client on a Tivoli Access Manager system on page 112
108
To configure an IBM Lotus Domino server as a registry for Tivoli Access Manager, follow these steps: Note: Tivoli Access Manager using a Domino registry is supported only on Windows platforms because the Lotus Notes client is available only on supported Windows platforms. 1. Ensure that you have reviewed and complied with the system requirements listed in Supported registries on page 13. 2. Create a Tivoli Access Manager administrative user for Domino. For instructions, see Creating a Tivoli Access Manager administrative user for Domino (versions 6.5, 7.0.1, 7.0.2, and 8.0) on page 110. 3. Locate your Domino installation media and install the Domino server. Refer to the Domino server installation documentation for instructions. 4. If a Tivoli Access Manager server is not installed on the Domino server system, Tivoli Access Manager does not require a Lotus Notes client to be on that Domino server system. If a Tivoli Access Manager server is installed on the Domino server system, you will need the Lotus Notes client and the ID you will want to use as the Tivoli Access Manager administrative ID. For Domino server administration, you will want to use the Domino server administrator ID for the Domino Administration interface. Note that these two IDs might be equivalent. The Notes ID file on the Lotus Notes client system must have sufficient administrative rights (manager access) to perform Tivoli Access Manager functions such as create, modify, and delete databases as well as create, modify, and delete users and groups in the name and address book (NAB). 5. Make sure you install the Lotus Notes client prior to installing the Access Manager Runtime component. If not, locate your Domino installation media and install a Lotus Notes client on the Tivoli Access Manager server system. For instructions, see Installing a Lotus Notes client on a Tivoli Access Manager system on page 112. 6. Ensure that these tasks were done when you installed the Domino server and Lotus Notes client: v You named your Domino server (for example: domino1/Austin/IBM where domino1 is the Domino server machine host name and the remainder is the Domino domain name). v You created the Notes name and address book (NAB), which contains your contacts, groups, connections, and locations. This database is located in the Lotus Domino data directory on your server. v You installed the Lotus Notes client and created a Notes client password to allow you to access Notes databases on the Domino server. 7. If the Domino server is installed on a Windows system, then ensure that the following environment variable is set on the Domino server system:
NOTESNTSERVICE=1
This environment variable ensures that the Lotus Domino server, when running as a Windows service, remains running after the user who started the service logs off the system. After you configure Domino for use with Tivoli Access Manager, the next step is to set up the policy server. For instructions, see Chapter 4, Setting up a policy server, on page 137.
109
Creating a Tivoli Access Manager administrative user for Domino (versions 6.5, 7.0.1, 7.0.2, and 8.0)
For Tivoli Access Manager systems to communicate with a Lotus Domino Version 6.5, 7.0.1, 7.0.2 or 8.0 server, you must create and register a Tivoli Access Manager administrative user for Domino. When creating the Tivoli Access Manager administrative user for Domino, any user name can be used. You should disable mail for this user. To create and register the Tivoli Access Manager administrative user for Domino, follow these steps: 1. Make sure you have the following before you begin registration: v Access to the certifier ID (.id file) and its password v Access to the Domino Directory database from the system you work on v Editor access or the UserCreator role in the Domino Directory on the registration server v Manager access to enable you to: Assign an access level to a user, group or database. Add, update or delete users or groups in the address book. 2. From the Domino Administrative client, click the People & Groups tab. 3. Select Domino Directories, and then select People. 4. From the Tools pane, click People -> Register 5. Select the Domino server's certifier ID. The default location is: C:\Program Files\Lotus\Domino\Data Note: Notes uses the certifier ID specified in Administration Preferences; or, if none is specified, the ID specified in the CertifierIDFile setting of the NOTES.INI file is used. 6. If prompted, type the certifier ID password that was set up during server configuration and click OK. To change the certifier ID, click Cancel. 7. Select the Advanced check box and complete fields in the Basics pane. For example, enter information similar to the following for the Tivoli Access Manager administrative user: v First name: AM v Last name: Daemons v Password: pwd The name of the privileged user is not restricted; it can be anything that is valid for the Domino server. In this example, AMDaemons is the identity of Tivoli Access Manager in Domino. 8. To disable Mail for that user, click on the Mail button. Select None in the Mail system drop-down list. 9. Click ID Info to make sure the Notes ID file is stored in the Domino directory. Select the check box to save the ID file to disk and click Register to add the request to the registration queue. 10. If the registration does not start immediately, select the user name in the registration queue and click Register All to register and add the user to the Domino server. The Tivoli Access Manager administration user requires Manager access (including delete) to the domain name and address book (NAB). A message is displayed indicating that the person was registered successfully. Click OK to remove the message dialog and then click Done.
110
At this time the new user's ID file is available in the directory you specified. 11. To grant the Tivoli Access Manager administration user the permissions, click the Files tab. 12. Highlight your domain's address book, and select Tools -> Database -> Manage ACL.... Click Add under the list of People, Servers, and Groups. 13. Select the newly created Tivoli Access Manager administration user from the Domain address book by clicking the person icon. 14. Click on the Add button, then OK on the Names window, and then OK again on the Add User window. This user can now be added to the access control list and the appropriate access level set by following the procedure described in Adding a user to the access control list and set the access level. 15. From the Domino Administrator, select Refresh from the View menu to verify that the Tivoli Access Manager user was created in the Domino server. 16. The new user must be given the ability to create and delete databases on the server. While logged on as the Domino administrator, do the following. a. Select the server Configuration tab. b. On the left side of the panel select Server and then Current server document. c. At the top of the server document pane, click Edit Server. d. Click the Security tab of the edit pane e. Scroll down to the Server Access section of the pane and add the name of the new user to the Create databases & templates list f. Click Save and Close.
Determining if the Tivoli Access Manager ID has access to create a database on a server
Lotus Notes lets you easily create databases. If you want to, you can use a template to create a database that is, a file that contains forms and views, but not documents, or you can just use a blank template. You can create a database locally, or you can create a database on a server if you have the access to do so. 1. Log on to the Domino server using the Tivoli Access Manager ID and password. 2. Open the Domino Directory database that lists the server you want to access. 3. Click the Servers view in the Domino Directory, and then select the server. 4. Double-click the selected server name to open the server document. 5. Click the Security tab in the server document. 6. In the Server Access section, check to see if your name or a group you are part of is listed in the Create new databases field. If it is, then you can create a database on that server.
Adding a user to the access control list and set the access level
To assign an access level to a user, you must have Manager access to the database and use the Domino Administrative client. 1. Using the Domino Administrative client, open the directory database on the server. This is the name and address book (NAB) on the server. 2. Choose File Database Access Control. 3. Click Basics, and then click Add.
111
4. Enter the name of the person, server, or group (for example, the newly-created Tivoli Access Manager administrative user) to whom you are giving access, and then click OK. You can click the person icon to pick a name from an address book. 5. Select the user just added in the displayed list of users. In the Attributes section, indicate in the User type field that the user is a Person and has the role of Editor. 6. In the Access level list on the same panel, select the access level you want to assign to the user. In addition to the default access, mark the check box granting permission to delete documents. Refer to Access levels for a database and Additional privileges in the access control list for more details on access levels and privileges users can have. A Tivoli Access Manager user should have Editor access to the NAB and be able to delete and replicate documents. The roles should include being able to create and modify groups, and create and modify users. 7. Click OK to apply your changes.
Defining an administration server for a database

If you define an administration server for your database, the server, through its Administration Process, updates names in the ACL (and Reader and Author fields) as those names are updated in the Domino Directory of the server. The administration server for a database is identified by a key next to the server name if the server name is listed in the ACL. If you are not sure which server you should enter as the administration server in the ACL, contact your administrator. 1. Make sure that you have Manager access in the database ACL. 2. Open the database. 3. Choose File Database Access Control. 4. Click Advanced. 5. Select Server under Administration Server. 6. Select a server from the Server list or type the hierarchical name of a server in the Server field. 7. From the Action list, select one of the following: v Do not modify Names fields does not modify any fields with type Names in any document v Modify all Readers and Authors fields only modifies those fields which are Reader and Author. Note that Reader and Author are a subset of type Names v Modify all Names fields modifies all fields with type Names in all documents For more information on Names, Reader, and Author fields, see the Lotus Domino Designer 6 Help.
Installing a Lotus Notes client on a Tivoli Access Manager system

To see what versions of Lotus Notes client that Tivoli Access Manager supports, refer to the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. Note that you do not need to install the Lotus Notes client on the Domino server system. The Lotus Notes client is required only for the system on which a Tivoli
112
Access Manager runtime, using Domino as the user registry, is installed. Typically, the administration client is installed on the Domino server. To install and configure a Lotus Notes client on the Domino server, follow these general steps: Note: 1. If you already have a Lotus Notes ID file that is in use on another client system, copy this binary file to the drive:\Lotus\Notes\data directory on your local system. Note: If you are uncertain about the name of the ID file you are currently using, click File Tools User ID from the Lotus Notes client interface to locate the ID file name. 2. Run the Notes client setup file from the Lotus Notes or Domino CD for Windows and follow online instructions. Note: Depending on the installation medium you are using, you might be prompted to install other program features. For Tivoli Access Manager installation, the Notes client is the only required feature. 3. From the Lotus Notes Installation window, select Typical and follow instructions. When the installation is complete, click Finish. 4. Launch the Lotus Notes program to perform configuration. For example, click Start Programs Lotus Applications Lotus Notes. 5. From the Lotus Notes Client Configuration window, click Next and complete the following information: v Select I want to connect to a Domino server and click Next. v Select Set up a connection to a local area network (LAN) and click Next. v Type the fully qualified name of your Domino server and click Next. This can be a mail or passthru server, or some other server that knows who you are. For example, enter the following in the Domino server name field:
domino1/Austin/IBM
v Do one of the following: If you are provided the Lotus Notes ID file, select My Notes UserID has been supplied to me in a file and either click Browse to locate the ID file or type the fully qualified name of the ID file in the File name field. For example, type c:\notes\data\username.id. Select Use my name as identification and type the Tivoli Access Manager administrative user ID (for example, AMDaemons) in the User name field. Click Next to continue. 6. If prompted for additional configuration information, you can accept the default values. Click Finish to continue the Notes client configuration steps. 7. If appropriate, select the Do not connect to an internet proxy server button. A password prompt window opens when the Notes client can access the remote Domino server. 8. Enter the password for the Tivoli Access Manager administrative user. If the password is correct, the Notes client continues to finish the remaining configuration. When configuration is complete, the Notes ID file for the administrative user is installed in either the \notes\data directory on the local system if you have
113
been provided the Lotus Notes ID file (as described in step 5 on page 113), or installed in install_dir\Notes\Data if you selected the directory to install in.
Setting up Microsoft Active Directory

To set up Active Directory for Tivoli Access Manager, you must perform the following tasks in this order: 1. Create an Active Directory domain. 2. Join an Active Directory domain. 3. Create an Active Directory administrative user. 4. Change Active Directory replication settings, if needed. After you set up an Active Directory domain for use with Tivoli Access Manager, the next step is to set up the policy server on a Windows 2003 system. For instructions, see Chapter 4, Setting up a policy server, on page 137.
Active Directory considerations

It is important to review the following information before configuring Active Directory for Tivoli Access Manager: v Users created in Active Directory may have an associated primary group. The Active Directory default primary group is Domain Users. But Active Directory does not add the primary group information to the user's memberOf or the group's member attribute. This means that when Tivoli Access Manager queries for a list of members of a group, the result does not include any members for whom the group is the primary group. Additionally, when Tivoli Access Manager queries for all the groups to which a user belongs, the query result does not display the primary group of the user. For this reason, avoid using a Tivoli Access Manager group as the Active Directory primary group for Tivoli Access Manager users. v Tivoli Access Manager can be configured in an Active Directory single domain or multi-domain environment. For information about single domain or multi-domain environments, see the Active Directory product documentation at the following Web address: http://www.microsoft.com/windowsserver2003/proddoc/ v When Tivoli Access Manager is configured to use the Active Directory user registry with multiple Active Directory domains, the policy server must be installed and configured only from the root Active Directory domain or a client of that root domain. v If Tivoli Access Manager is to be installed on a non-domain controller system, this system needs to join to the Active Directory domain where Tivoli Access Manager is to be configured. v For dynamic group related information, see the Active Directory product documentation at these Web addresses: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ dnnetserv/html/azmandynamgrps.asp http://support.microsoft.com/default.aspx?scid=kb;en-us;322692 http://microsoft.com (search key: Azman) v Microsoft supports two different types of Authorization Storages, Active Directory and XML, that store application groups such as dynamic groups. However, Tivoli Access Manager limits support of dynamic groups only to the
114
Active Directory Authorization Stores of dynamic groups. Tivoli Access Manager does not support dynamic groups that are created in XML Authorization Storage. v Tivoli Access Manager supports only the security global group. v To import an Active Directory user as a Tivoli Access Manager user, use the Active Directory users login name as the user ID for the Tivoli Access Manager user. v If you installed and configured Tivoli Access Manager on a client of Active Directory (for example, Tivoli Access Manager and Active Directory are on different systems), the client system must join the domain. You must sign on to the domain using the created Active Directory administrative user to perform Tivoli Access Manager configuration on the client system. v When using SSL to communicate with the Active Directory server, the SSL port is limited by Active Directory to the default SSL port number of 636. v If the Active Directory environment is behind a firewall, make sure that Microsoft-DS port 445 is open. For more information about the server message block (SMB) protocol over IP, refer to the following Web site: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/ base/microsoft_smb_protocol_authentication.asp v The DNS in the network TCP/IP setting on the client system must be the same as the domain controllers network TCP/IP setting. You can use the root domain controller as the DNS server or you can use a separate DNS. v When Tivoli Access Manager is configured to use Active Directory as the user registry, the Global Catalog server must be running and accessible to Tivoli Access Manager servers. Active Directory also uses the Global Catalog server for user authentication. The Global Catalog uses port 3268 for non-SSL authentication and port 3269 for SSL authentication. For more information about Global Catalog requirements for user and computer logon, see http://support.microsoft.com/kb/216970. For more information about Global Catalog ports, see http://support.microsoft.com/kb/179442.
Creating an Active Directory domain

Use the Active Directory configuration wizard to promote your Windows server system to a domain controller. The act of creating a domain controller also creates an Active Directory domain. Before you begin, you must decide if you want to create a domain controller for a new domain or create an additional domain controller for an existing domain. If you plan to create a domain controller for a new domain, you must also answer whether or not this new domain will be one of the following: v The first domain in a new forest v The first domain in a new domain tree in an existing forest v A child domain in an existing domain tree Note: If the new domain name does not exist in Forward Lookup Zones in DNS, it must be created as a new zone before you configure a new domain controller. For more information about domain controllers, domain trees, and forests, consult your Windows server documentation. To create a domain or add an additional domain controller to an existing domain, follow these steps:
115
v Joining an Active Directory domain v Creating an Active Directory administrative user on page 118
Joining an Active Directory domain

After you create an Active Directory domain, follow these steps to join a Windows Advanced Server to an Active Directory domain. Note: Ensure that you are logged on as an administrator to the local system and have a valid user name and password. Also ensure that the client and server systems are in the same DNS before adding a system to the domain. 1. Right-click My Computer and then click Properties. The System Properties notebook is displayed. 2. Click the Network Identification tab.
3. Click Properties. Under Member of, select Domain and type the name of the domain that you want to join. Click OK to continue.
116
4. From the Domain Username And Password window, type a valid user name and password and then click OK to join the system to the domain.
5. If the join operation is successful, a welcome window is displayed as shown. Click OK to continue.
6. A dialog is displayed indicating that the system needs to be rebooted. Click OK to continue.
7. The System Properties notebook is displayed, indicating that the join operation has completed. Click OK to restart your system.
117
Note: After your system is restarted, ensure that you are signing into the Active Directory domain that you have just joined. Usually, the local domain is the default domain in a Windows Login window.
Creating an Active Directory administrative user

To create an Active Directory administrative user for Tivoli Access Manager initialization, follow these steps: 1. On the Active Directory server system, select Start Control Panel Administrative Tools Active Directory Users and Computers. 2. Create a new user and add this new user to these groups: Administrators, Domain Admins, Enterprise Admins, and Schema Admins. This user is an Active Directory user only, not an Tivoli Access Manager user. You can select any name as the user login name, except sec_master, which is reserved for the Tivoli Access Manager administrator. The Enterprise Admins and the Schema Admins groups belong to the Active Directory root domain. The Administrators group refers to the Administrators group of the root domain, not to the secondary or child domain. If you want Tivoli Access Manager to be configured using Activity Directory single domain on an Active Directory secondary or child domain (non-root domain), you must still add the user that you created to all those groups listed for Tivoli Access Manager to configure properly. After the Tivoli Access Manager configuration is finished, you can remove the Administrators, Enterprise Admins, and Schema Admins groups from the users group member list.
118
Changing Active Directory replication settings

When a domain controller writes a change to its local copy of the Active Directory, a timer is started that determines when the domain controllers replication partners should be notified of the change. By default, this interval is 300 seconds (5 minutes). When this interval elapses, the domain controller initiates a notification to each intra-site replication partner that it has changes that need to be propagated. Another configurable parameter determines the number of seconds to pause between notifications. This parameter prevents simultaneous replies by the replication partners. By default, this interval is 30 seconds. Both of these intervals can be modified by editing the registry. To modify the delay between the change to the Active Directory and first replication partner notification, use the Registry Editor to modify value data for the Replicator notify pause after modify (secs) DWORD value in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Attention: Use caution when modifying data using the Registry Editor. Incorrect use can cause severe errors that might require you to reinstall your operating system. The default value data for the Replicator notify pause after modify (secs) DWORD value is 0x12c, which in hexadecimal format is 300 decimal (5 minutes). To modify the notification delay between domain controllers, use the Registry Editor to modify value data for the Replicator notify pause between DSAs (secs) DWORD value in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
The default value data for the Replicator notify pause between DSAs (secs) DWORD value is 0x1e, which in hexadecimal format is 30 decimal (30 seconds). Note: You must stop the policy server before editing the registry and then restart the system afterwards. During Active Directory multi-domain configuration, a data propagation delay occurs with a default value of 5 minutes. A user or group, which was just created in non-root domains, might not be visible when user list or group list commands are issued. Similarly, a user or group, newly created in the primary root domain controller, might not be immediately visible in the secondary root domain. By adjusting the values of Replicator notify pause after modify and Replicator notify pause between DSAs in the Windows system registry, you can change the behavior to best fit your environment needs.
Setting up Microsoft Active Directory Application Mode (ADAM)

Before you install Active Directory Application Mode (ADAM), read Installing and configuring Active Directory Application Mode (ADAM) for Tivoli Access Manager (Overview) on page 120, which provides a summary of important Tivoli Access Manager considerations and requirements when installing and configuring ADAM. For complete download, installation and configuration instructions, see the ADAM documentation at the following Web address:
119
http://www.microsoft.com/windowsserver2003/adam/default.mspx This section contains the following topics: v Installing and configuring Active Directory Application Mode (ADAM) for Tivoli Access Manager (Overview) v Installing Access Manager with support for Active Directory Application Mode (ADAM) v Configuring the Tivoli Access Manager schema for Active Directory Application Mode (ADAM) on page 121 v Configuring a default Tivoli Access Manager directory partition on page 123 v Adding an administrator to the Tivoli Access Manager metadata directory partition on page 124 v Allowing anonymous bind on page 126
Installing and configuring Active Directory Application Mode (ADAM) for Tivoli Access Manager (Overview)
The following overview provides guidelines for installing and configuring Active Directory Application Mode (ADAM) to use as a user registry with Tivoli Access Manager: 1. When installing ADAM, log on to the system using an account that belongs to the local Administrators group. Use the Active Directory Application Mode Setup Wizard to configure your ADAM instance. 2. When you create an ADAM instance, you must specify an ADAM instance name which will be used to uniquely identify the instance and name the ADAM service. 3. Specify the ports used for both non-SSL and SSL connection types within the ADAM instance. Make note of the port numbers you specify because they must be entered when you configure Tivoli Access Manager. 4. On the Application Directory Partition pane of the Active Directory Application Mode Setup Wizard, create an application directory partition to contain the user and group definitions that you use. Below the directory partition, you can create other Directory Information Tree (DIT) entries as needed. 5. On the Importing LDIF Files pane of the Active Directory Application Mode Setup Wizard, import the following LDIF files to update the schema used by this instance of ADAM: v MS-InetOrgPerson.LDF v MS-User.LDF v MS-UserProxy.LDF 6. When you finish installing ADAM, ensure that the installation completed successfully and did not contain any errors. adamsetup.log and adamsetup_loader.log contain information that can help you troubleshoot ADAM setup failure.
Installing Access Manager with support for Active Directory Application Mode (ADAM)
The Tivoli Access Manager Active Directory Application Mode (ADAM) schema file, tam-adamschema.ldf, is located in the following directories: v AIX: /opt/PolicyDirector/etc v Solaris: /opt/PolicyDirector/etc
120
v HP: /opt/PolicyDirector/etc v Linux: /opt/PolicyDirector/etc v Windows: install base\etc Where install-base is the installation directory. The default directory is C:\Program Files\Tivoli\Policy Director. Although tam-adamschema.ldf is installed as part of the Tivoli Access Manager runtime component on all platforms, the schema must be applied on the ADAM server, which runs on a Windows platform only. If you use Tivoli Access Manager on a non-Windows platform when using ADAM, the schema definition file must be copied from the Tivoli Access Manager runtime installation to the Windows system on which ADAM is running.
Configuring the Tivoli Access Manager schema for Active Directory Application Mode (ADAM)
Tivoli Access Manager defines its own set of LDAP entry types and attributes that it uses to track user, group and policy information. These extensions to the basic LDAP server schema must be added to Active Directory Application Mode (ADAM) before configuring Access Manager. After you install ADAM and configure the ADAM instance using the Active Directory Application Mode Setup Wizard, the Tivoli Access Manager schema extensions can be added to ADAM using the ldifde.exe command-line tool included with ADAM. Prior to adding Tivoli Access Manager schema extensions, ensure that you have defined inetOrgPerson and user schema definitions included with ADAM. If the inetOrgPerson and user schema extensions have not been added yet, they can also be added using the ldifde.exe command-line tool and should be done prior to adding the Access Manager schema. To add inetOrgPerson and user schema extensions, use the following procedure. After you run these commands, the ADAM schema will include the ADAM, inetOrgPerson and user objectclasses and attribute definitions. If these schema extensions have already been added, you can skip this procedure: 1. Click Start > All Programs > ADAM > ADAM Tools Command Prompt. 2. At the command prompt, type the following command and then press ENTER:
ldifde i f ms-inetorgperson.ldf s servername:portnumber k j . c CN=Schema,CN=Configuration,DC=X #schemaNamingContext
where servername represents the workstation name and portnumber is the LDAP connection port of your ADAM instance. If ADAM is running on your local workstation, you can also use localhost as the workstation name. 3. Type the following command, and then press ENTER:
ldifde i f ms-user.ldf s servername:portnumber k j . c CN=Schema,CN=Configuration,DC=X #schemaNamingContext
where servername represents the workstation name and portnumber is the LDAP connection port of your ADAM instance. If ADAM is running on your local workstation, you can also use localhost as the workstation name. After you have ensured that the ADAM schema includes the inetOrgPerson and user definitions, add the Tivoli Access Manager schema extensions:
121
1. ClickStart > All Programs > ADAM > ADAM Tools Command Prompt. 2. At the command prompt, type the following command and then press ENTER:
ldifde i e f tam-adamschema.ldf s servername:portnumber k j . c CN=Schema,CN=Configuration #schemaNamingContext
where servername represents the workstation name and portnumber is the LDAP connection port of your ADAM instance. If ADAM is running on your local workstation, you can also use localhost as the workstation name. The tam-adamschema.ldf file is included with the Tivoli Access Manager ADAM feature.
Configuring Tivoli Access Manager location for Active Directory Application Mode (ADAM)
When the Tivoli Access Manager policy server is configured, the management domain is created. The management domain is the initial security domain. Metadata used to track Tivoli Access Manager information about the domain is created and maintained in the user registry. When the policy server is configured, the administrator specifies the name of the management domain or uses the default name of Default. The administrator also specifies the location in the registry where this metadata is stored by specifying the management domain location DN. The location specified must already exist in the user registry. If the administrator chooses to use the default management domain location, the information is maintained in specific Active Directory Application Mode (ADAM) partition, which must be called
secAuthority=<management_domain_name>
where management_domain_name is the management domain name specified. For example, if the default management domain name is used, the partition would be called secAuthority=Default. If the administrator does not use the default location and specifies the management domain location DN, any existing location within the ADAM registry may be used as long as it is a container object. Note: You must choose a location DN within the same directory partition where you will store user and group information. This is required because ADAM requires that the policy server must exist in the same directory partition in which the user and group information is maintained. The policy server cannot maintain user and group information outside the ADAM directory partition in which the policy server itself is defined. For this reason, it is recommended that the default management location not be chosen during the policy server configuration when ADAM is being used as the Tivoli Access Manager registry. Instead, it is recommended that you choose the management domain location within the ADAM partition in which you wish to maintain the user and groups which reflect your enterprise organizational structure. Attention: If you chose the default management location during policy server configuration, the option to permanently remove domain information from registry deletes all data in the ADAM partition of the default domain management location, including registry-specific data, when you unconfigure the Tivoli Access Manager. To retain registry-specific data, choose the management domain location in the ADAM partition in which you want to maintain users and groups. The default management location is the location for Tivoli Access Manager metadata.
122
Configuring a default Tivoli Access Manager directory partition

By default, Tivoli Access Manager maintains its metadata information within a specific Active Directory Application Mode (ADAM) directory partition (also known as a naming context or suffix). This default Tivoli Access Manager metadata directory partition is called secAuthority=Default. The partition must be created after the Access Manager schema extensions have been added to ADAM and before the Tivoli Access Manager Policy Server has been configured. For more information about adding schema extensions, see Configuring the Tivoli Access Manager schema for Active Directory Application Mode (ADAM) on page 121. To create the default Tivoli Access Manager metadata directory partition, use the ADAM administration tool ldp.exe. This tool is installed as part of the ADAM administration tool set. To use the ldp.exe tool, you must connect and bind to the ADAM instance using the following procedure: Note: You must choose a location DN within the same directory partition where you will store user and group information. This is required because ADAM requires that the policy server must exist in the same directory partition in which user and group information is maintained. The policy server cannot maintain user and group information outside the directory partition in which the policy server itself is defined. 1. Connect to the ADAM instance: a. Click Start > All Programs > ADAM > ADAM Tools Command Prompt. b. At the command prompt, type ldp and then press ENTER. The ldp window is displayed. c. On the Connection menu, click Connect.... d. In the Server field, type the host or DNS name of the system running ADAM. When the ADAM instance is running locally, you can also type localhost for this field value. e. In the Port field, type the LDAP or SSL port number for the ADAM instance to which you want to connect. Then click OK. The ldp tool connects to the ADAM instance and displays progress information obtained from the root DSE in the pane on the right side of the window. 2. Bind to the ADAM instance: a. From the Connection menu, select Bind... b. Do one of the following: v To bind using the credentials you are logged on with, click Bind as currently logged on user. v To bind using a domain user account, click Bind with credentials. Type the user name, password and domain name (or the workstation name if you are using a local workstation account) of the account that you wish to use and click OK. v To bind using an ADAM user name and password, click Simple bind. Type the user name and password of the account you wish to use and click OK. v To bind using an advanced method such as NTLM, DPA, negotiate, or digest, click Advanced (NEGOTIATE). Click Advanced. Select the desired method, and set other options as needed. Click OK twice.
123
c. When you are finished specifying bind options, click OK. The ldp tool will bind to the ADAM instance using the method and credentials specified. 3. Add children: a. From the Browse menu, select Add child. b. In the Dn field, type secAuthority=Default as the distinguished name for the new directory partition. c. In the Edit Entry field, type the following and then click ENTER. v In the Attribute field, type ObjectClass. v In the Values field, type secAuthorityInfo. d. In the Edit Entry field, type the following and then click ENTER. v In the Attribute field, type SecAuthority. v In the Values field, type Default. e. In the Edit Entry field, type the following and then click ENTER. v In the Attribute field, type version. v In the Values field, type 6.0. f. In the Edit Entry field, type the following and then click ENTER v In the Attribute field, type cn v In the Values field, type secAuthority g. In the Edit Entry field, type the following and then click ENTER. v In the Attribute field, type instanceType. v In the Values field, type 5. The set of attributes and values appear in the Entry List pane. h. Ensure the Synchronous option is selected and click Run. This will add the required Access Manager metadata directory partition to the ADAM instance. To verify that the partition has been properly added, you can use the ADAM ADSI Edit tool to connect to and view the partition.
Configuring a non-default Tivoli Access Manager directory partition

You can choose a non-default Management Domain name and location DN. The Management Domain name must be unique within the LDAP server and the location DN must already exist. You will be prompted for this information during installation of the policy server; see Installing the policy server (install_ammgr wizard) on page 369 or Chapter 22, pdconfig options, on page 447 for instructions on how to set these parameters for the Access Manager Policy Server.
Adding an administrator to the Tivoli Access Manager metadata directory partition

After adding Tivoli Access Manager schema to the Active Directory Application Mode (ADAM) instance, and after the Tivoli Access Manager metadata directory location is added, you must add an ADAM user administrator for the Tivoli Access Manager metadata directory partition. The ADAM user has administrative authority for the Tivoli Access Manager metadata directory partition and is specified as the LDAP administrator when Tivoli Access Manager is configured. To create the ADAM user administrator of the Tivoli Access Manager metadata directory partition:
124
Note: The following example assumes that you accepted the default management domain and location. If you specified a different domain name or location, add the ADAM user administrator to the ADAM partition you specified. 1. Create the ADAM LDAP administrator: a. Click Start->All Programs->ADAM->ADAM ADSI Edit. b. In the console tree, click ADAM ADSI Edit. c. On the Action menu, click Connect To... The "Connection Settings" dialog box appears. d. In the Connection name field, you can type a label under which this connection will appear in the console tree of ADAM ADSI Edit. For this connection, type: secAuthority. e. In the Server name field, type the host or DNS name of the system on which the ADAM instance is running. If the ADAM instance is on the local system, you can use localhost as the server name. f. In the Port field, type the LDAP or SSL communication port in use by this ADAM instance. Note: To list the port numbers used by ADAM instances, click Start->All Programs->ADAM->ADAM Tools Command Prompt and then at the command prompt, type:
dsdbutil list instances quit
on the system where the ADAM instance is running. g. Under Connect to the following node, select Distinguished name (DN) or naming context and enter secAuthority=Default for the default distinguished name. If using a different directory partition, select that partition. This example assumes the default partition. h. Under Connect using these credentials, click The account of the currently logged on user. i. Click OK. secAuthority should now appear in the console tree. 2. Select user attributes: a. Expand the secAuthority tree by double-clicking secAuthority and then double click on SECAUTHORITY=DEFAULT. b. Highlight and right click on the SECAUTHORITY=DEFAULT container, point to New, and then click Object... c. Under Select a class, click user, and then click Next. d. For the value of the cn attribute, type the common name for the administrator you wish to create. For example, type tam. Then click Next. e. Click More Attributes and select msDS-UserDontExpirePassword property from the Select a property drop-down menu. Set the attribute value to True and click Set . Click OK. This will prevent the default password expiration time policy from applying to this administrator. If you would prefer that the password policy apply to this administrator, then this property can be left unset. f. No additional attributes are required but if you wish to set additional attributes, click More Attributes, select the attributes you wish to set and enter the values. When you are finished, click Finish. The user is created with a Distinguished Name (DN) of cn=tam,secAuthority=Default. g. To set the administrator password, highlight and then right click on the user you just created. Select Reset password...
125
h. In the "Reset Password" pane, enter and confirm the password you wish to use. When finished, click OK. Remember the user DN and password that you create because this will be specified as the LDAP Administrator DN and password when Access Manager is configured. 3. Add the user to the Administrators group for the partition: a. Within the SECAUTHORITY=DEFAULT directory partition, there are three containers called CN=LostAndFound, CN=NTDSQuotas and CN=Roles. 1) Highlight the CN=Roles container by single clicking on it. In the details pane on the right side of the ADAM ADSI Edit tool, the groups within the Roles container will be displayed. 2) Highlight the CN=Administrators group by single clicking on it. 3) Right click on the CN=Administrators group and select Properties. The CN=Administrators Properties page is displayed. b. Under Attributes, scroll down to locate and click member and then click Edit. c. Click Add ADAM Account.... Type the distinguished name of the administrator user that you created in step 2f on page 125 into the DN field and click OK. The administrator user is added to the Administrators group and is displayed as a member. d. Click OK to complete the membership update. Click OK to close the "CN=Administrators Properties" page.
Allowing anonymous bind

In order for Tivoli Access Manager to be configured with Active Directory Application Mode (ADAM), ADAM must be configured to allow anonymous bind. By default, ADAM does not allow anonymous bind. Access Manager configuration, however, uses anonymous bind to check on the validity of the configured LDAP hostname, port and SSL parameters. If you want to disable anonymous bind during normal operation, the option can be reset on the ADAM server once configuration is complete. To allow anonymous bind to the ADAM instance, use the following procedure: 1. Click Start->All Programs->ADAM->ADAM ADSI Edit. 2. In the console tree, click ADAM ADSI Edit. 3. From the Action menu, click Connect To... . The "Connection Settings" dialog box appears. 4. In the Connection name field, type: Configuration. 5. In the Server name field, type the host or DNS name of the system on which the ADAM instance is running. If the ADAM instance is on the local system, you can use localhost as the server name. 6. In the Port field, type the LDAP or SSL communication port in use by this ADAM instance. Note: To list the port numbers used by ADAM instances, click Start->All Programs->ADAM->ADAM Tools Command Prompt. At the command prompt, type: dsdbutil list instances quit on the system where the ADAM instance is running. 7. Under Connect to the following node, select Well-known naming context: and choose Configuration from the pull down list.
126
8. Under Connect using these credentials, click The account of the currently logged on user. Click OK. Configuration should now appear in the console tree. 9. Expand the Configuration subtree by double-clicking Configuration. 10. Double-click CN=Configuration,CN={GUID}, where GUID was generated when the configuration of the ADAM instance was performed. 11. Double-click the CN=Services folder to expand it, then double-click CN=Windows NT. 12. Highlight and right-click CN=Directory Service and click Properties. 13. Click dsHeuristics. 14. Click Edit. 15. Edit the value. Modify the seventh character (counting from the left) to 2. The value should be similar to 0000002001001 in the String Attribute Editor. Click OK. 16. Click OK. Anonymous bind is now allowed.
Setting up Novell eDirectory

Before you begin, ensure that you have completed the basic server installation and configuration for Novell eDirectory and the ConsoleOne tool as described in the Novell product documentation at the following Web addresses: This section contains the following topics: 1. Configuring the Novell eDirectory for Tivoli Access Manager 2. When using Novell eDirectory on page 129 3. Management domain location on page 130 For Novell eDirectory, Version 8.7, see: http://www.novell.com/documentation/lg/edir87/index.html For Novell eDirectory, Version 8.6, see: http://www.novell.com/documentation/lg/ndsedir86/index.html In addition, ensure that you have reviewed and complied with the system requirements listed in Supported registries on page 13.
Configuring the Novell eDirectory for Tivoli Access Manager

If you are installing a new Tivoli Access Manager secure domain, the Tivoli Access Manager schema is installed on the Novell eDirectory Server (NSD) automatically when the Tivoli Access Manager policy server is configured. However, prior to configuring the policy server, there are several modifications to Novell eDirectory that must first be performed using Novells ConsoleOne directory management utility or iManager web-based administration console. Note: The default Novell eDirectory schema assumes that the directory does not use the X.500 objectclasses of inetOrgPerson or groupOfNames. By default, these classes are mapped into the eDirectory classes of User and Group, respectively. Because Tivoli Access Manager uses the inetOrgPerson and groupOfNames objectclasses for creating its own users and groups, modifications to the default eDirectory schema are required.
127
You can configure the Novell eDirectory for Tivoli Access Manager using the Novell eDirectory ConsoleOne directory management utility or using the Novell iManager Web-based administration console. To configure Novell eDirectory for Tivoli Access Manager using the Novell eDirectory ConsoleOne directory management utility, complete the following steps: 1. Start the Novell ConsoleOne directory management utility. 2. Select the organization object within your Novell eDirectory tree. A list of objects is displayed on the right side of the ConsoleOne window. 3. Right click the LDAP group object (not LDAP server), and click Properties from the menu. 4. Click the Class Map tab and the table of LDAP class names. The Novell eDirectory class names are displayed. 5. Delete the entries with LDAP classes of inetOrgPerson and groupOfNames. 6. Click Apply, and then click Close. 7. Click the Attribute Map tab and the table of LDAP attribute names. The Novell eDirectory attribute names are displayed. 8. Scroll through the table and find the Novell eDirectory attribute member. Check the value of the corresponding LDAP attribute. If the LDAP attribute value is member, then no change is needed. If the attribute is showing the default value of uniqueMember, you need to modify it as follows. v Click Modify. The Attribute Mapping window is displayed. v Change the Primary LDAP Attribute field from uniqueMember to member. v Change the Secondary LDAP attribute field from member to uniqueMember. v In the Attribute window, click OK to accept the changes. 9. If you are using Solaris, proceed to the next step. If you are using Windows NT, you might have to add another mapping for the LDAP attribute ndsHomeDirectory as follows: v On the right hand side of the Attribute Mappings window, click Add . The Attribute Mapping window repaints and is displayed again. v From the Novell eDirectory NSD Attribute field menu, click Home Directory. v In the Primary LDAP Attribute field, click ndsHomeDirectory. v In the Attribute Mapping window, click OK to accept the changes. 10. In the Properties window, click OK. To configure Novell eDirectory for Tivoli Access Manager using the Novell iManager Web-based administration console, complete the following steps 1. Launch the iManager Web page and log in as the administrator for the Novell eDirectory tree to be updated. 2. Click the Roles and Tasks icon at the top of the iManager window to open the Roles and Tasks view. 3. In the Roles and Tasks navigation frame, expand the LDAP category. 4. In the expanded list, click the LDAP Options task. 5. On the LDAP Options page, click the LDAP Group listed. 6. Click Class Map to display the Novell eDirectory class to LDAP class mappings. 7. Remove mappings to inetOrgPerson and groupOfNames.
128
8. 9. 10. 11.
v Scroll through the list and look for mappings of eDirectory classes to the LDAP class inetOrgPerson. v If a mapping exists, select the row and click the Remove Mapping icon to remove the mapping. v Click OK in the pop-up window to confirm the removal of the mapping. v Click Apply to apply the changes. v Repeat this step to remove a mapping for the LDAP class groupOfNames. Click OK, to accept the changes that have been made. Repeat steps 3-5 to return to the LDAP Group page. Click Attribute Map to access the Novell eDirectory attribute to LDAP attribute mappings. Scroll through the table and find the Novell eDirectory attribute member. Check the value of the corresponding LDAP attribute. If the LDAP attribute value is member, no change is needed. If the attribute is showing the default value of uniqueMember, you need to modify it as follows: v Select the row and click the View/Edit Mapping icon. v Change the Primary LDAP Attribute field from uniqueMember to member.
v Change the Secondary LDAP attribute field from member to uniqueMember. v Click OK in the pop-up window to confirm the change. v Click Apply to apply the changes. 12. If you are using Solaris, proceed to the next step. If you are using Windows NT, you might have to add another mapping for the LDAP attribute ndsHomeDirectory. To add another mapping for the LDAP attribute ndsHomeDirectory: v Click the Add Mapping icon in the right side of the window. A pop-up window to define the mapping is displayed. v In the eDirectory Attribute field, select Home Directory. v In the Primary LDAP Attribute field, type ndsHomeDirectory. v Click OK to confirm the mapping and close the pop-up window. 13. Click OK in the Attribute Map window to accept the changes. After you set up Novell eDirectory for use with Tivoli Access Manager, the next step is to set up the policy server. For instructions, see Chapter 4, Setting up a policy server, on page 137.
When using Novell eDirectory

Novell eDirectory defines the objectclasses User and Group as part of its base schema. Instances of these objectclasses are created by an eDirectory administrator when defining a user or a group respectively. Both of these objectclasses are defined by eDirectory as leaf nodes. eDirectory adds an attribute X-NDS_NOT_CONTAINER 1 to each of these objectclass definitions that specifies that they are not container objects. Objects that are not specified as container objects cannot be defined beneath instances of these objectclasses. Tivoli Access Manager requires the ability to append its own objects beneath pre-existing eDirectory users and groups in order to import them and make them usable by Tivoli Access Manager. When Tivoli Access Manager adds its own objectclass definitions to the eDirectory schema, it also redefines the eDirectory User and Group objectclasses to allow instances of these classes to be container objects. Novell eDirectory allows this change to its schema definition.
129
The following Novell eDirectory administrator actions will cause the Tivoli Access Manager modification to the User objectclass to be undone. The Group objectclass is not affected. v Running the eDirectory database repair tool, ndsrepair using the rebuild schema option. v Running Basic Repair from the iManager console and running local database repair using the rebuild operational schema option. v Applying a patch update to Novell eDirectory. v Upgrading Novell eDirectory to a more recent version. Should it be necessary to perform any of these operations after Tivoli Access Manager has been configured into the eDirectory server, run the following Tivoli Access Manager utility immediately to ensure that the definition of the User objectclass is restored.
ivrgy_tool -h host -p port -D dn -w password schema
where: host port dn Specifies the LDAP server (Novell eDirectory) host name, which is required. Specifies the LDAP server (Novell eDirectory) port number. Specifies the LDAP server (Novell eDirectory) bind distinguished name.
password Specifies the LDAP server (Novell eDirectory) bind password. schema Specifies the name of the Novell eDirectory schema file. The ivrgy_tool.exe is located in the sbin subdirectory. For example: v On Windows systems: d:\Program Files\Tivoli\Policy Director\sbin v On UNIX or Linux systems: /opt/PolicyDirector/sbin You must run this utility from the sbin directory because Tivoli Access Manager does not add the sbin directory to the system PATH. For more information about this utility, see ivrgy_tool on page 569.
Management domain location

Tivoli Access Manager permits you to specify a management domain location which maintains Tivoli Access Manager metadata unless you use the default management domain location. Create this location in the Novell eDirectory server before configuring the Tivoli Access Manager policy server. Tivoli Access Manager extends the Novell eDirectory schema to add Tivoli Access Manager metadata objectclasses and attributes. The secAuthorityInfo objectclass, a Tivoli Access Manager-defined objectclass, is explicitly defined to be contained under the following common objectclasses: v treeRoot v container v v v v organization organizationalUnit domain country
130
The Novell eDirectory strictly enforces the containment rule. If you specify a management domain location with an objectclass other than the common objectclasses listed here, you must manually modify the schema file novschema.def to include the objectclass. Note: You must modify the schema file before you configure the Tivoli Access Manager. The complete Tivoli Access Manager Novell eDirectory schema file path is [Tivoli Access Manager installation directory]/etc/novschema.def. The following example illustrates how to modify the schema file. 1. Open the schema file. 2. Replace this portion:
dn: cn=schema changetype: modify delete: objectclasses objectClasses: ( 1.3.6.1.4.1.4228.1.8 NAME secAuthorityInfo DESC Security Authority Information SUP eApplicationSystem STRUCTURAL MUST ( secAuthority $ version ) X-NDS_NAMING secAuthority X-NDS_CONTAINMENT ( treeRoot ) ) add: objectclasses objectClasses: ( 1.3.6.1.4.1.4228.1.8 NAME secAuthorityInfo DESC Security Authority Information SUP eApplicationSystem STRUCTURAL MUST ( secAuthority $ version ) X-NDS_NAMING secAuthority X-NDS_CONTAINMENT ( treeRoot container organization organizationalUnit domain country) )
with
dn: cn=schema changetype: modify delete: objectclasses objectClasses: ( 1.3.6.1.4.1.4228.1.8 NAME secAuthorityInfo DESC Security Authority Information SUP eApplicationSystem STRUCTURAL MUST ( secAuthority $ version ) X-NDS_NAMING secAuthority X-NDS_CONTAINMENT ( treeRoot ) ) add: objectclasses objectClasses: ( 1.3.6.1.4.1.4228.1.8 NAME secAuthorityInfo DESC Security Authority Information SUP eApplicationSystem STRUCTURAL MUST ( secAuthority $ version )
131
X-NDS_NAMING secAuthority X-NDS_CONTAINMENT ( treeRoot container organization organizationalUnit domain country your_object_class_goes_here) )
For more information about management domains and creating a location for the metadata, see Tivoli Access Manager management domains on page 138 and Creating a management domain location (example) on page 139.
Setting up the Sun Java System Directory Server

Before you begin, ensure that you have completed the basic server installation and configuration as described in the Sun Java System Directory Server product documentation. For more information, see Sun documentation at the following Web address: http://docs.sun.com/app/docs/prod/entsys To configure the Sun Java System Directory Server for Tivoli Access Manager, follow these steps. Notes: 1. For non-ASCII characters to be stored in attributes, you must disable the 7-bit check plug-in during configuration of the Directory Server. The default value of this plug-in is set to on. 2. The following procedure shows you how to configure Sun Java System Directory Server 5.2 for Tivoli Access Manager. 1. Check that the Directory Server daemon, slapd-serverID is running (using the ps command, or an equivalent command for your operating system). 2. Ensure that the Directory Server daemon (slapd-serverID) and the Administration Server daemon (admin-serv) are running. If they are not, enter the following commands to start them: v On UNIX or Linux systems:
% ServerRoot/slapd-serverID/start-slapd % ServerRoot/start-admin
v On Window systems, use Services to start the Sun Java System Administration Server and Sun Java System Directory Server services. 3. To start the console, enter one of the following: v On UNIX or Linux systems:
% ServerRoot/startconsole
v On Windows systems, select Start Programs Sun Java System Server Products Sun Java System Server Console. The Console Login window is displayed unless your configuration directory (o=NetscapeRoot directory) is stored in a separate instance of the Sun Java System Directory Server. In this case, a window is displayed requesting your administrator user DN, password, and the Web address of the Administration Server for that Directory Server. 4. Log in using the user ID and password for the LDAP administrator. For example, type cn=root and the appropriate password and then click OK.
132
The Sun ONE Server Console is displayed. 5. Navigate through the tree in the left pane to find the system (qasun7) that is hosting your Directory Server and click it to display its general properties.
6. Double-click the name of your directory server in the tree or click the Open button. The Directory Server Console for managing this directory server instance is displayed.
7. From the Configuration tab, right-click Data in the left pane and then select New Suffix.
133
Or, you can create a new suffix by clicking Data and then clicking New Suffix from the Object menu. 8. To create the management domain location that maintains Tivoli Access Manager data, type the suffix DN of the location; for example: secAuthority=Default. The name must be in the relative distinguished name (DN) format and consist of one attribute-value pair. If multiple attribute-value pairs, separate the pairs by commas. The default location is secAuthority=Default. For more information about management domains, and creating a location for the metadata, see Tivoli Access Manager management domains on page 138 and Creating a management domain location (example) on page 139. 9. Change the name of the database when creating a new suffix. Attention: Do not accept the default value for the database name when creating a new suffix. By default, the location of database files for this suffix is chosen automatically by the server. Also by default, the suffix will maintain only the system indexes, no attributes will be encrypted, and replication will not be configured. If you accept the default value, the Sun Java Directory Server stores the suffix under the Default database name, and your data will be removed when the Sun Java Directory Server is restarted.
To modify the default value and select a different database name: v Click Options to see the Options window.
134
v Select the Use custom radio button. v Enter a database name, other than Default. Database names can only contain ASCII (7-bit) alphanumeric characters, hyphens (-), and underscores (_). For example, you might name the new database secAuthority. v Choose another location for the directory that contains the database files, or accept the default value. v Click OK when you have configured all of the new suffix options. The New Suffix window will show all the options that you chose. v Click OK in the New Suffix window to create the new root suffix.
10. Expand the Data node to ensure that the suffix was created. If you chose to create a suffix to maintain user and group data, follow this procedure again to create another suffix either in the default database or in a new database. For example, you could create a suffix named o=tivoli,c=us in the same database. 11. Do one of the following: v If you did not add any suffixes other than the management domain location, configuration is complete. A directory entry for the management domain location is automatically added when the policy server is configured. v If you added suffixes other than the management domain location, continue to step 12 to create directory entries for each new suffix. 12. Select the Directory tab and highlight the name of the server in the top of the left pane. 13. Select Object New Root Object. A list of new suffixes for which no entry yet exists is displayed as shown:
14. For each new suffix (other than secAuthority=Default), select the new suffix. The New Object window is displayed. Scroll down to find the entry type that corresponds to the suffix that you are creating. For example, you might select organization for the suffix named o=tivoli,c=us. Highlight the entry type
135
and click OK as shown:
15. From the Generic Editor window, enter a value for the entry. For the o=tivoli,c=us example, enter tivoli as the value for the organization object and then click OK. 16. After you have created entries for each suffix that you added, select Console Exit to close the console. After you set up the Directory Server for use with Tivoli Access Manager, you can set up the policy server, as described in Chapter 4, Setting up a policy server, on page 137.
136

This chapter provides information about installing and configuring the Tivoli Access Manager policy server system. You must install and configure only one policy server for each secure management domain. It is recommended that you set up the policy server on a system that is separate from your registry server. You can set up this system using one of these installation methods: v Installing using the installation wizard on page 141 v Installing using native utilities on page 142 Optional: On AIX systems only, you can also set up a standby policy server in the event of a system failure. This capability requires additional software and hardware, including High Availability Cluster Multiprocessing (HACMP) software. For more information, see Chapter 24, AIX: Setting up a standby policy server, on page 511. Notes: 1. Tivoli Access Manager does not consider the registry native password policies when creating server accounts during configuration. The registry native password policies might cause server configuration failure. Before configuration, disable any registry native password policies, such as the registry default or global password policies. After configuration, set exceptions on the registry so that the new server accounts are not affected by any registry native password policies. Now you can enable the registry native password policies. 2. During Tivoli Access Manager configuration on Linux operating systems, scripts may fail to run, stating that /bin/ksh was not found. On certain versions of SUSE Linux Enterprise Server, Yast-based installation does not install the Korn shell at /bin/ksh. Install the pdksh rpm that matches the hardware on which you are installing Tivoli Access Manager. The appropriate rpm can be found on either the SUSE Linux Enterprise Server installation media, or downloaded from the SUSE Linux Enterprise Server or Novell support web sites. 3. If you are installing on a Linux system and SELinux is enabled, you must run the following commands in order to start the policy and authorization server:
chcon chcon chcon chcon -t -t -t -t textrel_shlib_t textrel_shlib_t textrel_shlib_t textrel_shlib_t /usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7 /opt/PolicyDirector/lib/libamzcars.so /usr/local/ibm/gsk7/lib/libgsk7krsw.so /opt/PolicyDirector/lib/libamcars.so
4. If you reinstall and reconfigure the Tivoli Access Manager policy server or install IBM WebSphere Application Server patches, you must unconfigure and reconfigure
LDAP data format selection

During the installation of the policy server, you are given the opportunity to select what LDAP data format is to be used for user and group tracking information. The two LDAP data formats available for user and group information are: Minimal This format is valid only for IBM Tivoli Access Manager version 6.0 or later. Use of this format reduces the size of your user registry information
137
by storing minimal user and group tracking information. However, previous versions of Tivoli Access Manager and Tivoli Access Manager products do not support this format and cannot access the user and group tracking information. v If there is no previous user registry information, as is the case with a new installation, and this format is selected, fewer LDAP objects are used to maintain the user and group tracking information. However, versions earlier than Tivoli Access Manager 6.0 do not support this format and cannot access the user and group information. v If upgrading all Tivoli Access Manager products to version 6.1.1 from a version earlier than 6.0, the existing user registry information can optionally be converted to use the minimal format for user and group tracking information, if desired. The amldif2V6 tool converts user registry information from the standard format to the minimal format. The amldif2V6 tool is available from the IBM Tivoli Access Manager for e-business Web site. Review the support documentation before converting your user registry information. You can find technical support for the amldif2V6 tool at the IBM Tivoli Access Manager for e-business Web site. http://www.ibm.com/software/tivoli/products/access-mgr-e-bus Standard This format, which is the same format used in versions of Tivoli Access Manager prior to 6.0, permits any version of Tivoli Access Manager to use the user and group information in the LDAP registry. If you have user registry information from a Tivoli Access Manager version prior to version 6.1.1 and this format is selected, you do not need to convert the user registry data to a different format. If the user and group information in the LDAP registry is used by other Tivoli Access Manager products, such as IBM Tivoli Access Manager for Operating Systems or IBM Tivoli Federated Identity Manager, the same LDAP data format must be used for all products.
Tivoli Access Manager management domains

If you use LDAP as your user registry, Tivoli Access Manager provides for one or more administrative domains. A domain consists of all the users, groups and resources that require protection along with the associated security policy used to protect those resources. Depending on the resource managers that are installed, resources can be any physical or logical entity, including objects such as files, directories, Web pages, printer and network services, and message queues. Any security policy that is implemented in a domain affects only the objects in that domain. Users with authority to perform tasks in one domain do not necessarily have the authority to perform those tasks in other domains. The initial domain in an LDAP registry is called the management domain and is created when the policy server is configured. During policy server configuration, you will be prompted for the management domain name and the management domain location Distinguished Name (DN) within the LDAP Directory Information Tree (DIT) on the LDAP server where the information about the domain will be maintained. See Installing the policy server (install_ammgr wizard) on page 369
138
or Chapter 22, pdconfig options, on page 447 for instructions on how to set these parameters for the Access Manager policy server. If the management domain location is not specified, the management domain location is assumed to be a stand-alone suffix on the LDAP server. Whether you use the default location or specify a different location in the LDAP DIT, the location specified for the management domain must already exist unless the user registry is Novell eDirectory. For Novell eDirectory, if you have not specified the management domain location, Tivoli Access Manager uses the root location as the management domain location. The root location is a domain location that does not have a suffix. If you enter a specific location for the management domain, ensure that the location you are specifying already exists. When an Access Manager domain is created, including the initial management domain, an entry is created in the LDAP server called a secAuthorityInfo object. This object represents the Access Manager domain and is named using the secAuthority attribute with the name of the domain as its value; for example: secAuthority=<domain_name>. If you do not provide a different name, the default name of the management domain is Default, making the secAuthorityInfo object name secAuthority=Default.
Creating a management domain location (example)

If you wish to specify a non-default location for the management domain, you can use any location within the LDAP DIT. For example, if the LDAP server is configured with a suffix of c=us, and the administrator specifies the management domain location DN as ou=austin,o=ibm,c=us this object may be created using a file containing the following LDIF:
dn: c=us objectClass: top objectClass: country c: US dn: o=ibm,c=us objectClass: top objectClass: organization o: IBM dn: ou=austin,o=ibm,c=us objectClass: top objectClass: organizationalunit ou: Austin
The object may then be created using the idsldapadd command-line utility as follows:
idsldapadd h <ldap_hostname> -p <ldap_port> -D <ldap_admin_DN> -w <ldap_admin_pwd> -v f example_DIT
where: v ldap_hostname is the hostname of the LDAP server. v ldap_port is the port of the LDAP server. v ldap_admin_DN is the Distinguished Name of the LDAP server administrator. v ldap_admin_pwd is the password of the LDAP server administrator. v example_DIT is the name of the file containing the LDIF.
139
Modify this example for the specific LDAP namespace appropriate for your organization. Once the LDAP object has been created, you can specify it as the management domain location DN during policy server configuration. See Installing the policy server (install_ammgr wizard) on page 369 or Chapter 22, pdconfig options, on page 447 for instructions on how to set these parameters for the Access Manager policy server.
Password change does not work in a multidomain environment

A WebSEAL instance cannot change user passwords under all the following conditions due to the absence of ACL settings required to search domain locations: v You configured the policy server in a nondefault location, that is a location other than secAuthority=Default. v You create Tivoli Access Manager sub-domains under the new location. v You configured a WebSEAL instance in any of the new sub-domains. Complete the following steps to set the proper ACL with the following assumptions: v The management domain name is Default. v The Default domain is located in an LDAP suffix called O=IBM,C=US. v The subdomain names are Domain1, Domain2, and so on. 1. Place the following in a file called aclEntry.ldif:
##------ START: Do not include this line -----## dn: secAuthority=Default,o=ibm,c=us changetype: modify add: aclentry aclentry:group:cn=SecurityGroup,SecAuthority=Domain1,cn=SubDomains ,SecAuthority=Default,O=IBM,C=US,O=IBM,C=US:object:ad:normal :rwsc:sensitive:rwsc:critical:rwsc:system:rsc aclentry:group:cn=SecurityGroup,SecAuthority=Domain2,cn=SubDomains, SecAuthority=Default,O=IBM,C=US,O=IBM,C=US:object:ad :normal:rwsc:sensitive:rwsc:critical:rwsc:system:rsc ##------ END: Do not include this line -------##
You must replace the management domain name Default, suffix O=IBM,C=US, and subdomains Domain1, Domain2, and so on, with the corresponding name of the current installation. 2. Update the ACL by running the following command:
ldapmodify -h host -p port -D cn=root -w pwd -i aclEntry.ldif
Management domain location for an Active Directory Application Mode (ADAM) registry
If Active Directory Application Mode (ADAM) is being used as the LDAP registry, you must choose a location DN within the same directory partition where you will store user and group information. This is because ADAM has a restriction that the policy server must exist in the same directory partition in which user and group information is maintained. The policy server cannot maintain user and group information outside the directory partition in which the policy server itself is defined.
140

The install_ammgr installation wizard simplifies the setup of the Tivoli Access Manager Policy Server system by installing and configuring these components in the appropriate order: v v v v v v v IBM Global Security Kit (GSKit) IBM Tivoli Directory Server base client (as needed) IBM Tivoli Directory Server 32-bit client (as needed) Tivoli Security Utilities Tivoli Access Manager Access Manager License Tivoli Access Manager Access Manager Runtime Tivoli Access Manager Access Manager Policy Server
Note: The installation wizard detects if a component is installed and does not attempt to reinstall it. For descriptions of configuration options and step-by-step instructions with illustrations, see Installing the policy server (install_ammgr wizard) on page 369. Attention: v If you are installing on a Red Hat Enterprise Linux 5 operating system and Security-Enhanced Linux (SELinux) is enabled, you must disable it before installing using the installation wizard. Once you have completed installation and configuration, you can re-enable SELinux and continue to use it. If you do not want to disable SELinux, install using native utilities. v If your system hangs after issuing the wizard command or if a Java error message occurs after issuing the wizard command, ensure that Java is correctly installed. To install and configure a policy server system using the install_ammgr wizard, follow these steps: 1. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 2. Ensure that your registry server is set up, configured, and running (in normal mode) before installing the policy server. For more information on setting up the registry server, see Chapter 3, Setting up the registry server, on page 53. 3. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed and can be located using the PATH environment variable before running the installation wizard. For instructions, see page 318. 4. To view status and messages in a language other than English, which is the default, install a language support package before running the installation wizard. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 5. On Windows systems only, exit from all running programs. 6. Run the install_ammgr program, located in the root directory on the IBM Tivoli Access Manager Base CD for the supported AIX, HP-UX, HP_UX on Integrity, Linux on x86, Linux on System z, Linux on POWER, Solaris, Solaris on x86_64, and Windows 2003 platforms.
141
The installation wizard begins by prompting you for configuration information as described in Installing the policy server (install_ammgr wizard) on page 369. Supply the required configuration information, or accept default values. Note: Ensure that the Tivoli Access Manager policy server is configured with a password that meets the minimum strength requirements and is not too weak for use with your user registry. For example, Windows 2003 Active Directory has more restrictive password requirements than previous versions of Active Directory. Make sure you understand your user registry password policy before configuring the policy server. 7. Compare the disk space that is required to install all of the Tivoli Access Manager policy server system components and prerequisites with the disk space that is available. If there is sufficient space, continue the installation. After reviewing the summary and accepting your installation selections and configuration choices, the components are installed and configured without further intervention. This step completes the setup of the Tivoli Access Manager policy server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.

These sections explain how to install Tivoli Access Manager software using a familiar platform-specific utility. Unlike automated installation wizards, you must manually install packages for each component and any prerequisite software in the appropriate order. To configure software packages after installation, use the pdconfig utility. Complete the instructions that apply to your operating system: v AIX on page 142 v HP-UX on page 144 v Linux on page 146 v Solaris on page 147 v Windows on page 149
AIX: Installing the policy server

This procedure uses installp to install software packages and the pdconfig utility to configure them. To install the Tivoli Access Manager policy server system on AIX, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 3. Ensure that your registry server is up and running (in normal mode) before installing the policy server. 4. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it.
142
5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 312. 6. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 327. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 323. 8. Install the Tivoli Access Manager packages:
installp -acgYXd cd_mount_point/usr/sys/inst.images packages
where cd_mount_point is the directory where the CD is mounted and packages are as follows: PD.lic PD.RTE PD.Mgr Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Policy Server package.
Attention: You must not configure the Access Manager Runtime until the policy server is installed. 9. Unmount the CD. 10. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 11. Configure the Tivoli Access Manager packages as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time. Configure the Access Manager Runtime followed by the Access Manager Policy Server package. Depending on the package that you selected, you are prompted for configuration options. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447. When a message is displayed that indicates the package has been successfully configured, press Enter to configure another package or select the x (Exit) option twice to close the configuration utility. This step completes the setup of the Tivoli Access Manager policy server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. Note that configuration of the Tivoli Access Manager policy server creates a default SSL certificate authority file named pdcacert.b64. The SSL key file and certificate are created using FIPS approved algorithms. After successful configuration of the Access Manager Policy Server component, a message similar to the following is displayed:
143
Access Manager Policy Server configuration completed successfully. The Managers CA certificate is base64-encoded and saved in text file /var/PolicyDirector/keytab/pdcacert.b64 You must distribute this file to each machine in your secure domain. It is needed for successful configuration.
For a Tivoli Access Manager runtime system to authenticate to Tivoli Access Manager servers, each runtime system will require a copy of this file. To obtain this file, do one of the following: v During configuration of the Access Manager Runtime package (using the pdconfig utility), select to download the pdcacert.b64 file automatically. v Manually copy the pdcacert.b64 file to the Tivoli Access Manager system before configuring the Access Manager Runtime component.
HP-UX: Installing the policy server

This procedure uses swinstall to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager policy server system on an HP-UX or HP-UX on Integrity system, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 3. Ensure that your registry server is up and running (in normal mode) before installing the policy server. 4. Insert the CD for your platform: v IBM Tivoli Access Manager Base for HP-UX v IBM Tivoli Access Manager Base for HP-UX on Integrity 5. Mount the CD using the HP-UX mount command. For example, enter the following command:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. 6. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 312. 7. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 328. 8. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 323. 9. Install the Tivoli Access Manager packages: v For HP-UX:
swinstall -s /cd-rom/hp packages
where /cd-rom/hp is the directory and the packages are as follows: PDlic PDRTE PDMgr Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Policy Server package.
144
swinstall -s /cd-rom/hp_ia64 packages
where /cd-rom/hp_ia64 is the directory and the packages are as follows: PDlic PDRTE PDMgr Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Policy Server package.
Attention: You must not configure the Access Manager Runtime until the policy server is installed. 10. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 11. Configure the Access Manager Runtime followed by the Access Manager Policy Server package as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time. Depending on the package that you selected, you are prompted for configuration options. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447. When a message is displayed that indicates the package has been successfully configured, press Enter to configure another package or select the x (Exit) option twice to close the configuration utility. 12. Unmount the CD as follows:
umount /cd-rom
where /cd-rom is the mount point. This step completes the setup of the Tivoli Access Manager policy server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. Note that configuration of the Tivoli Access Manager policy server creates a default SSL certificate authority file named pdcacert.b64. The SSL key file and certificate are created using FIPS approved algorithms. After successful configuration of the Access Manager Policy Server component, a message similar to the following is displayed:
For a Tivoli Access Manager runtime system to authenticate to Tivoli Access Manager servers, each runtime system will require a copy of this file. To obtain this file, do one of the following:
145
v During configuration of the Access Manager Runtime package (using the pdconfig utility), select to download the pdcacert.b64 file automatically. v Manually copy the pdcacert.b64 file to the Tivoli Access Manager system before configuring the Access Manager Runtime component.
Linux: Installing the policy server

This procedure uses rpm to install software packages and the pdconfig utility to configure them. To install the Tivoli Access Manager policy server system on Linux, follow these steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files which are located in the /CD_mount_point/linux_s390 directory on the IBM Tivoli Access Manager Base for Linux on System z CD. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 3. Ensure that your registry server is up and running (in normal mode) before installing the policy server. 4. Insert the IBM Tivoli Access Manager Base for Linux on x86 , IBM Tivoli Access Manager Base for Linux on System z, or IBM Tivoli Access Manager Base for Linux on POWER CD and mount it. 5. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86, linux_ppc for POWER, or linux_s390 for System z. 6. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 313. 7. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 329. 8. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 324. 9. Install the Tivoli Access Manager packages:
rpm -ihv packages
where packages are as follows:

Linux on x86 Access Manager License package Access Manager Runtime package PDlic-PD-6.1.1.0-0.i386.rpm PDRTE-PD-6.1.1.0-0.i386.rpm Linux on System z PDlic-PD-6.1.1.0-0.s390.rpm Linux on POWER PDlic-PD-6.1.1.0-0.ppc.rpm
PDRTE-PD-6.1.1.0-0.s390.rpm PDRTE-PD-6.1.1.0-0.ppc.rpm PDMgr-PD-6.1.1.0-0.s390.rpm PDMgr-PD-6.1.1.0-0.ppc.rpm
Access Manager Policy PDMgr-PD-6.1.1.0-0.i386.rpm Server package
Attention: You must not configure the Access Manager Runtime until the policy server is installed. 10. Unmount the CD.
146
11. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 12. Configure the Tivoli Access Manager packages as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time. Configure the Access Manager Runtime package followed by the Access Manager Policy Server package. Depending on the package that you selected, you are prompted for configuration options. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447. When a message is displayed that indicates the package has been successfully configured, press Enter to configure another package or select the x (Exit) option twice to close the configuration utility. This step completes the setup of the Tivoli Access Manager policy server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. Note that configuration of the Tivoli Access Manager policy server creates a default SSL certificate authority file named pdcacert.b64. The SSL key file and certificate are created using FIPS approved algorithms. After successful configuration of the Access Manager Policy Server component, a message similar to the following is displayed:
Solaris: Installing the policy server

This procedure uses pkgadd to install software packages and the pdconfig utility to configure them. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. To install the Tivoli Access Manager policy server system on Solaris, follow these steps:
147
1. Log on as root. 2. Ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, known defects, and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that your registry server is up and running (in normal mode) before installing the policy server. 4. Insert the CD for your platform: v IBM Tivoli Access Manager Base for Solaris v IBM Tivoli Access Manager Base for Solaris on x86_64 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 314. 6. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 330. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 325. 8. Install these Tivoli Access Manager packages: v For Solaris:
where: /cdrom/cdrom0/solaris Specifies the location of the package. /cdrom/cdrom0/solaris/pddefault Specifies the location of the installation administration script. and where the packages are as follows: PDlic PDRTE Specifies the Access Manager License package. Specifies the Access Manager Runtime package.
PDMgr Specifies the Access Manager Policy Server package. v For Solaris on x86_64:
where: /cdrom/cdrom0/solaris_x86 Specifies the location of the package. /cdrom/cdrom0/solaris_x86/pddefault Specifies the location of the installation administration script. and where the packages are as follows: PDlic PDRTE PDMgr Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Policy Server package.
Attention: You must not configure the Access Manager Runtime until the policy server is installed.
148
When the installation process is complete for each package, the following message is displayed:
Installation of package successful.
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time. Configure the Access Manager Runtime, followed by the Access Manager Policy Server package. Depending on the package that you selected, you are prompted for configuration options. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447. When a message is displayed that indicates the package has been successfully configured, press Enter to configure another package or select the x option twice to close the configuration utility. This step completes the setup of the Tivoli Access Manager policy server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. Note that configuration of the Tivoli Access Manager policy server creates a default SSL certificate authority file named pdcacert.b64. The SSL key file and certificate are created using FIPS approved algorithms. After successful configuration of the Access Manager Policy Server component, a message similar to the following is displayed:
Windows: Installing the policy server

This procedure uses the setup.exe program to install software packages and the pdconfig utility to configure them. To install the Tivoli Access Manager policy server system on Windows 2003, follow these steps:
149
1. Log on as a user with Administrator group privileges. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 3. Ensure that your registry server is up and running (in normal mode) before installing the policy server. 4. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 315. 5. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if it is not already installed. For instructions, see page 331. 6. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 326. 7. Insert the IBM Tivoli Access Manager Base for Windows CD. 8. Install the Tivoli Access Manager packages. To do so, run the setup.exe program located in this directory:
\windows\PolicyDirector\Disk Images\Disk1
Follow the online instructions and select to install the following packages: v Access Manager License v Access Manager Runtime v Access Manager Policy Server Attention: You must not configure the Access Manager Runtime until the policy server is installed. 9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Configure the Tivoli Access Manager packages as follows: a. Start the configuration utility:
pdconfig
The Access Manager Configuration window is displayed. b. Select the Access Manager Runtime package and click Configure. c. Select the Access Manager Policy Server package and click Configure. Depending on the package that you selected, you are prompted for configuration options. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447. This step completes the setup of the Tivoli Access Manager policy server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. Note that configuration of the Tivoli Access Manager policy server creates a default SSL certificate authority file named pdcacert.b64. The SSL key file and certificate are created using FIPS approved algorithms. After successful configuration of the Access Manager Policy Server component, a message similar to the following is displayed:
150
Access Manager Policy Server configuration completed successfully. The Managers CA certificate is base64-encoded and saved in text file C:\PROGRA~1\Tivoli\POLICY~1\keytab\pdcacert.b64 You must distribute this file to each machine in your secure domain. It is needed for successful configuration.
151
152
Chapter 5. Setting up an authorization server

This chapter provides information about installing and configuring a Tivoli Access Manager authorization server system. You can set up this system using one of the following installation methods: v Installing using the installation wizard on page 154 v Installing using native utilities on page 155 Notes: 1. Tivoli Access Manager does not consider the registry native password policies when creating server accounts during configuration. The registry native password policies might cause server configuration failure. Before configuration, disable any registry native password policies, such as the registry default or global password policies. After configuration, set exceptions on the registry so that the new server accounts are not affected by any registry native password policies. Now you can enable the registry native password policies. 2. During Tivoli Access Manager configuration on Linux operating systems, scripts may fail to run, stating that /bin/ksh was not found. On certain versions of SUSE Linux Enterprise Server, Yast-based installation does not install the Korn shell at /bin/ksh. Install the pdksh rpm that matches the hardware on which you are installing Tivoli Access Manager. The appropriate rpm can be found on either the SUSE Linux Enterprise Server installation media, or downloaded from the SUSE Linux Enterprise Server or Novell support web sites. 3. If you are installing on a Linux system and SELinux is enabled, and you must run the following commands in order to start the policy and authorization servers:
chcon chcon chcon chcon -t -t -t -t textrel_shlib_t textrel_shlib_t textrel_shlib_t textrel_shlib_t /usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7 /opt/PolicyDirector/lib/libamzcars.so /usr/local/ibm/gsk7/lib/libgsk7krsw.so /opt/PolicyDirector/lib/libamcars.so
4. Under both the following conditions, you must set [ldap] auth-using-compare to no in ivacld.conf after authorization server installation: v You are installing an authorization server on an upgraded version of Tivoli Access Manager. v You are using the Tivoli Directory Server registry to install the authorization server. The upgrade process does not automatically update the Tivoli Access Manager ACLEntry in Tivoli Directory Server to permit the authorization server to use this method of authentication. Alternatively you can verify whether the ACLEntry is updated on each LDAP suffix that under which Tivoli Access Manager accounts are stored. The updated ACLEntry is:
ACLEntry=group:CN=IVACLD-SERVERS,CN=SECURITYGROUPS ,SECAUTHORITY=DEFAULT:normal:rsc :system:rsc:at.userPassword:wc:at.secAcctValid:rwsc:at.secPwdFailCountTime :rwsc:at.secPwdFailures:rwsc:at.secPwdLastChanged :rwsc:at.secPwdLastFailed:rwsc:at.secPwdLastUsed:rwsc:at .secPwdUnlockTime:rwsc:at.secPwdValid:rwsc
Note the addition of at.userPassword:wc: to the access list.
153

The install_amacld installation wizard simplifies the setup of a Tivoli Access Manager authorization server system by installing and configuring the following components in the appropriate order: v v v v v v v IBM Global Security Kit (GSKit) IBM Tivoli Directory Server base client (as needed) IBM Tivoli Directory Server 32-bit client (as needed) Tivoli Security Utilities Access Manager License Access Manager Runtime Access Manager Authorization Server
Note: The wizard detects if a component is installed and does not attempt to reinstall it. Attention: v If you are installing on a Red Hat Enterprise Linux 5 operating system and Security-Enhanced Linux (SELinux) is enabled, you must disable it before installing using the installation wizard. Once you have completed installation and configuration, you can re-enable SELinux and continue to use it. If you do not want to disable SELinux, install using native utilities. v If your system hangs after issuing the wizard command or if a Java error message occurs after issuing the wizard command, ensure that Java is correctly installed. To install and configure an authorization server system using the install_amacld wizard, follow these steps: 1. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 2. Ensure that the registry server and policy server are up and running (in normal mode). 3. Ensure that IBM Java Runtime version 1.5.0 SR5 provided with Tivoli Access Manager is installed and can be located using the PATH environment variable before running the installation wizard. For instructions, see page 318. 4. To view status and messages in a language other than English, which is the default, install a language support package before running an installation wizard. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 5. On Windows systems only, exit from all running programs. 6. Run the install_amacld program, located in the root directory on the IBM Tivoli Access Manager Base CD for the supported AIX, HP-UX, HP-UX on Integrity, Solaris, Solaris on x86_64, Linux on x86, Linux on POWER, Linux on System z, and Windows 2003 platforms. The installation wizard begins by prompting you for configuration information as described in install_amacld on page 392. Supply the required configuration information, or accept default values.
154
7. Compare the disk space that is required to install all of the Tivoli Access Manager authorization server system components and prerequisites with the disk space that is available. If there is sufficient space, continue the installation. After reviewing the summary and accepting your installation selections and configuration choices, the components are installed and configured without further intervention. This step completes the setup of a Tivoli Access Manager authorization server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.

The following sections enable you to install Tivoli Access Manager software using a familiar platform-specific utility. Unlike automated installation wizards, you must manually install each component and any prerequisite software in the appropriate order. To configure software packages after installation, use the pdconfig utility. Complete the instructions that apply to your operating system: v AIX on page 155 v v v v HP-UX on page 156 Linux on page 158 Solaris on page 159 Windows on page 161
AIX: Installing an authorization server

The following procedure uses installp to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager authorization server system, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 312. 6. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 327. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 323. 8. Install the Tivoli Access Manager packages:
where cd_mount_point is the directory where the CD is mounted and the packages are as follows: PD.lic Specifies the Access Manager License package.
155
PD.RTE
Specifies the Access Manager Runtime package.
PD.Acld Specifies the Access Manager Authorization Server package. 9. Unmount the CD. 10. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 11. Configure the Access Manager Runtime package followed by the Access Manager Authorization Server package as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time. Depending on the package that you selected, you are prompted for configuration options. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447. When a message is displayed that indicates the package has been successfully configured, press Enter to configure another package or select the x option twice to close the configuration utility. This step completes the setup of a Tivoli Access Manager authorization server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
HP-UX: Installing an authorization server

This procedure uses swinstall to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager authorization server system, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the CD for your operating system: v IBM Tivoli Access Manager Base for HP-UX v IBM Tivoli Access Manager Base for HP-UX on Integrity 5. Mount the CD using the HP-UX mount command. For example, enter the following command:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point.
156
6. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 312. 7. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 328. 8. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 323. 9. Install the Tivoli Access Manager packages: v For HP_UX:
where /cd-rom/hp is the directory and packages are as follows: PDlic PDRTE Specifies the Access Manager License package. Specifies the Access Manager Runtime package.
PDAcld Specifies the Access Manager Authorization Server package. v For HP_UX on Integrity:
where /cd-rom/hp_ia64 is the directory and packages are as follows: PDlic PDRTE PDAcld
umount /cd-rom
Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Authorization Server package.
10. Unmount the CD as follows:
where /cd-rom is the directory where the CD is mounted. 11. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 12. Configure the Access Manager Runtime followed by the Access Manager Authorization Server package as follows: a. Start the configuration utility:
pdconfig
157
Linux: Installing an authorization server

The following procedure uses rpm to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager authorization server system, follow these steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files which are located in the /CD_mount_point/linux_s390 directory on the IBM Tivoli Access Manager Base for Linux on System z CD. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the IBM Tivoli Access Manager Base for Linux on x86, IBM Tivoli Access Manager Base for Linux on POWER, or IBM Tivoli Access Manager Base for Linux on System z CD and mount it. 5. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86, linux_ppc for POWER, or linux_s390 for System z. 6. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 313. 7. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 329. 8. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 324. 9. Install the Tivoli Access Manager packages:
rpm -ihv packages

Linux on x86 Access Manager License package PDlic-PD-6.1.1.00.i386.rpm Linux on POWER PDlic-PD-6.1.1.00.ppc.rpm PDRTE-PD-6.1.1.00.ppc.rpm PDAcld-PD-6.1.1.00.ppc.rpm Linux on System z PDlic-PD-6.1.1.00.s390.rpm PDRTE-PD-6.1.1.00.s390.rpm PDAcld-PD-6.1.1.00.s390.rpm
Access Manager PDRTE-PD-6.1.1.0Runtime package 0.i386.rpm Access Manager Authorization Server package PDAcld-PD-6.1.1.00.i386.rpm
10. Unmount the CD. 11. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 12. Configure the Access Manager Runtime package followed by the Access Manager Authorization Server package as follows: a. Start the configuration utility:
pdconfig
158
Solaris: Installing an authorization server

The following procedure uses pkgadd to install software packages and the pdconfig utility to configure them. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. To install a Tivoli Access Manager authorization server system, follow these steps: 1. Log on as root. 2. Ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, known defects, and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the CD for your platform: v IBM Tivoli Access Manager Base for Solaris v IBM Tivoli Access Manager Base for Solaris on x86_64 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 314. 6. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 330. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 325. 8. Install the Tivoli Access Manager packages (one at a time): v For Solaris:
where: /cdrom/cdrom0/solaris Specifies the location of the package.
159
/cdrom/cdrom0/solaris/pddefault Specifies the location of the installation administration script. and where packages are as follows: PDlic PDRTE Specifies the Access Manager License package. Specifies the Access Manager Runtime package.
PDAcld Specifies the Access Manager Authorization Server package. v For Solaris on x86_64
where: /cdrom/cdrom0/solaris_x86 Specifies the location of the package. /cdrom/cdrom0/solaris_x86/pddefault Specifies the location of the installation administration script. and where packages are as follows: PDlic PDRTE Specifies the Access Manager License package. Specifies the Access Manager Runtime package.
PDAcld Specifies the Access Manager Authorization Server package. When the installation process is complete for each package, the following message is displayed:
9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Configure the Access Manager Runtime followed by the Access Manager Authorization Server package as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time. Depending on the package that you selected, you are prompted for configuration options. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447. When a message is displayed that indicates the package has been successfully configured, press Enter to configure another package or select the x option twice to close the configuration utility.
160
This step completes the setup of the Tivoli Access Manager policy server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Windows: Installing an authorization server

The following procedure uses the setup.exe program to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager authorization server system on Windows 2003, follow these steps: 1. Log on as a user with Administrator group privileges. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the IBM Tivoli Access Manager Base for Windows CD. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 315. 6. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if it is not already installed. For instructions, see page 331. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 326. 8. Install the Tivoli Access Manager packages. To do so, run the setup.exe program located in the following directory:
Follow the online instructions and select to install the following packages: v Access Manager License v Access Manager Runtime v Access Manager Authorization Server 9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Configure the Access Manager Runtime package followed by the Access Manager Authorization Server package as follows: a. Start the configuration utility:
pdconfig
The Access Manager Configuration window is displayed. b. Select the Access Manager Runtime package and click Configure. c. Select the Access Manager Authorization Server package and click Configure. Depending on the package that you selected, you are prompted for configuration options. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447.
161
This step completes the setup of a Tivoli Access Manager authorization server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
162
Chapter 6. Setting up a development system

This chapter provides information about installing and configuring a Tivoli Access Manager development (ADK) system. You can set up this system using one of the following installation methods: v Installing using the installation wizard v Installing using native utilities on page 164 Note: During Tivoli Access Manager configuration on Linux operating systems, scripts may fail to run, stating that /bin/ksh was not found. On certain versions of SUSE Linux Enterprise Server, Yast-based installation does not install the Korn shell at /bin/ksh. Install the pdksh rpm that matches the hardware on which you are installing Tivoli Access Manager. The appropriate rpm can be found on either the SUSE Linux Enterprise Server installation media, or downloaded from the SUSE Linux Enterprise Server or Novell support web sites.

The install_amadk installation wizard simplifies the setup of a Tivoli Access Manager development (ADK) system by installing and configuring the following components in the appropriate order: v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server base client (as needed) v IBM Tivoli Directory Server 32-bit client (as needed) v Tivoli Security Utilities v Tivoli Access Manager Access Manager License v Tivoli Access Manager Access Manager Runtime v Tivoli Access Manager Access Manager Application Development Kit Note: The wizard detects if a component is installed and does not attempt to reinstall it. Attention: v If you are installing on a Red Hat Enterprise Linux 5 operating system and Security-Enhanced Linux (SELinux) is enabled, you must disable it before installing using the installation wizard. Once you have completed installation and configuration, you can re-enable SELinux and continue to use it. If you do not want to disable SELinux, install using native utilities. v If your system hangs after issuing the wizard command or if a Java error message occurs after issuing the wizard command, ensure that Java is correctly installed. To install and configure a development (ADK) system using the install_amadk wizard, follow these steps: 1. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system
163
requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 2. Ensure that the registry server and policy server are up and running (in normal mode). 3. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed and can be located using the PATH environment variable before running the installation wizard. For instructions, see page 318. 4. To view status and messages in a language other than English, which is the default, install a language support package before running an installation wizard. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 5. On Windows systems only, exit from all running programs. 6. Run the install_amadk program, located in the root directory on the IBM Tivoli Access Manager Base CD for the supported AIX, HP-UX, HP-UX on Integrity, Solaris, Solaris on x86_64, Linux on x86, Linux on System z, Linux on POWER, Windows 2003, Windows Vista and Windows XP platforms. The installation wizard begins by prompting you for configuration information as described in install_amadk on page 396. Supply the required configuration information, or accept default values. 7. Compare the disk space that is required to install all of the Tivoli Access Manager development (ADK) system components and prerequisites with the disk space that is available. If there is sufficient space, continue the installation. After reviewing the summary and accepting your installation selections and configuration choices, the components are installed and configured without further intervention. This step completes the setup of a Tivoli Access Manager development (ADK) system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.

The following sections enable you to install Tivoli Access Manager software using a familiar platform-specific utility. Unlike automated installation wizards, you must manually install each component and any prerequisite software in the appropriate order. To configure software packages after installation, use the pdconfig utility. Complete the instructions that apply to your operating system: v v v v v AIX on page 164 HP-UX on page 165 Linux on page 167 Solaris on page 168 Windows on page 170
AIX: Installing a development (ADK) system

The following procedure uses installp to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager development (ADK) system, follow these steps: 1. Log on as root.
164
2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 312. 6. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 327. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 323. 8. Install the Tivoli Access Manager packages:
where cd_mount_point is the directory where the CD is mounted and packages are as follows: PD.lic PD.RTE PD.AuthADK Specifies the Access Manager License package. Specifies the Access Manager Runtime package.
Specifies the Access Manager Application Development Kit package. 9. Unmount the CD. 10. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 11. Configure the Access Manager Runtime package as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure. For assistance with configuration options, see Chapter 22, pdconfig options, on page 447. When a message is displayed that indicates the package has been successfully configured, select the x option twice to close the configuration utility. This step completes the setup of a Tivoli Access Manager development (ADK) system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
HP-UX: Installing a development (ADK) system

The following procedure uses swinstall to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager development (ADK) system, follow these steps:
165
1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the CD for your operating system: v IBM Tivoli Access Manager Base for HP-UX v IBM Tivoli Access Manager Base for HP-UX on Integrity 5. Mount the CD using the HP-UX mount command. For example, enter the following command:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. 6. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 312. 7. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 328. 8. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 323. 9. Install the Tivoli Access Manager packages: v For HP-UX:
where /cd-rom is the directory where the CD is mounted and packages are as follows: PDlic PDRTE PDAuthADK Specifies the Access Manager License package. Specifies the Access Manager Runtime package.
Specifies the Access Manager Application Development Kit package. v For HP on Integrity:
where /cd-rom/hp_ia64 is the directory and packages are as follows: PDlic PDRTE PDAuthADK Specifies the Access Manager License package. Specifies the Access Manager Runtime package.
Specifies the Access Manager Application Development Kit package. 10. Unmount the CD as follows:
umount /cd-rom
where /cd-rom is the mount point. 11. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 12. Configure the Access Manager Runtime component as follows: a. Start the configuration utility:
166
pdconfig
Linux: Installing a development (ADK) system

The following procedure uses rpm to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager development (ADK) system on Linux on x86, Linux on System z, or Linux on POWER, follow these steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files which are located in the /CD_mount_point/linux_s390 directory on the IBM Tivoli Access Manager Base for Linux on System z CD. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the IBM Tivoli Access Manager Base for Linux on x86 , IBM Tivoli Access Manager Base for Linux on System z, or IBM Tivoli Access Manager Base for Linux on POWER CD and mount it. 5. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86, linux_ppc for POWER, or linux_s390 for System z. 6. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 313. 7. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 329. 8. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 324. 9. Install the Tivoli Access Manager packages:
rpm -ihv packages
167
Linux on x86 Access Manager License package Access Manager Runtime package Access Manager Application Development Kit package PDlic-PD-6.1.1.0-0.i386.rpm PDRTE-PD-6.1.1.0-0.i386.rpm PDAuthADK-PD-6.1.1.00.i386.rpm
Linux on System z PDlic-PD-6.1.1.0-0.s390.rpm
Linux on POWER PDlic-PD-6.1.1.0-0.ppc.rpm
PDRTE-PD-6.1.1.0-0.s390.rpm PDRTE-PD-6.1.1.0-0.ppc.rpm PDAuthADK-PD-6.1.1.00.s390.rpm PDAuthADK-PD-6.1.1.00.ppc.rpm
10. Unmount the CD. 11. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 12. Configure the Access Manager Runtime component as follows: a. Start the configuration utility:
pdconfig
Solaris: Installing a development (ADK) system

The following procedure uses pkgadd to install software packages and the pdconfig utility to configure them. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. To install a Tivoli Access Manager development (ADK) system, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the CD for your platform: v IBM Tivoli Access Manager Base for Solaris
168
v IBM Tivoli Access Manager Base for Solaris on x86_64 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 314. 6. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 330. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 325. 8. Install the Tivoli Access Manager packages (one at a time): v For Solaris:
where: /cdrom/cdrom0/solaris Specifies the location of the package. /cdrom/cdrom0/solaris/pddefault Specifies the location of the installation administration script. and packages are as follows: PDlic PDRTE PDAuthADK Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Application Development Kit package.

where: /cdrom/cdrom0/solaris_x86 Specifies the location of the package. /cdrom/cdrom0/solaris_x86/pddefault Specifies the location of the installation administration script. and packages are as follows: PDlic PDRTE PDAuthADK Specifies the Access Manager License package. Specifies the Access Manager Runtime package.
Specifies the Access Manager Application Development Kit package. When the installation process is complete for each package, the following message is displayed:
9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Configure the Access Manager Runtime component as follows: a. Start the configuration utility:
pdconfig
169
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure. For assistance with configuration options, see Chapter 22, pdconfig options, on page 447. When a message is displayed that indicates the package has been successfully configured, press Enter to configure another package or select the x option twice to close the configuration utility. This step completes the setup of a Tivoli Access Manager development (ADK) system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Windows: Installing a development (ADK) system

The following procedure uses the setup.exe program to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager development (ADK) system on Windows 2003, Windows Vista or Windows XP, follow these steps: 1. Log on as a user with Administrator group privileges. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the IBM Tivoli Access Manager Base for Windows CD. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 315. 6. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 331. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 326. 8. Install the Tivoli Access Manager packages. To do so, run the setup.exe program located in the following directory:
Follow the online instructions and select to install the following packages: v Access Manager License v Access Manager Runtime v Access Manager Application Development Kit 9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Configure the Access Manager Runtime component as follows: a. Start the configuration utility:
pdconfig
The Access Manager Configuration window is displayed.
170
b. Select the Access Manager Runtime package and click Configure. For assistance with configuration options, see Chapter 22, pdconfig options, on page 447. When a message is displayed that indicates the package has been successfully configured, click Close to exit the configuration utility. This step completes the setup of a Tivoli Access Manager development (ADK) system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
171
172
Chapter 7. Setting up an Access Manager Runtime for Java system

This chapter provides information about installing and configuring Access Manager Runtime for Java. You can set up this system using one of the following installation methods: v Installing using the installation wizard v Installing using native utilities on page 175 Access Manager Runtime for Java configures additional security features into the specified JRE. Notes: 1. Access Manager Runtime for Java only supports the following Java runtime environments (JREs): v IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager v The JRE provided with WebSphere Application Server 6.1. 2. If you reinstall and reconfigure the Tivoli Access Manager policy server, or install any IBM WebSphere Application Server patches, you must unconfigure and reconfigure Access Manager Runtime for Java. 3. During Tivoli Access Manager configuration on Linux operating systems, scripts may fail to run, stating that /bin/ksh was not found. On certain versions of SUSE Linux Enterprise Server, Yast-based installation does not install the Korn shell at /bin/ksh. Install the pdksh rpm that matches the hardware on which you are installing Tivoli Access Manager. The appropriate rpm can be found on either the SUSE Linux Enterprise Server installation media, or downloaded from the SUSE Linux Enterprise Server or Novell support web sites.

The install_amjrte installation wizard simplifies the setup of a Tivoli Access Manager Access Manager Runtime for Java by installing and configuring the following components in the appropriate order: v Access Manager License v Access Manager Runtime for Java Note: The wizard detects if a component is installed and does not attempt to reinstall it.
173
Attention: v If you are installing on a Red Hat Enterprise Linux 5 operating system and Security-Enhanced Linux (SELinux) is enabled, you must disable it before installing using the installation wizard. Once you have completed installation and configuration, you can re-enable SELinux and continue to use it. If you do not want to disable SELinux, install using native utilities. v If your system hangs after issuing the wizard command or if a Java error message occurs after issuing the wizard command, ensure that Java is correctly installed. To install and configure Access Manager Runtime for Java using the install_amjrte wizard, follow these steps: 1. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 2. Ensure that either IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager or the JRE provided with WebSphere Application Server 6.1 is installed and can be located using the PATH environment variable before running the installation wizard. For instructions on installing IBM Java Runtime 1.5.0 SR5, see page 318. Access Manager Runtime for Java configures additional security features into the specified JRE and only these two JREs are supported. 3. Ensure that the policy server is up and running. 4. To view status and messages in a language other than English, which is the default, install your language support package before running an installation wizard. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 5. On Windows systems only, exit from all running programs. 6. Run the install_amjrte program, located in the root directory on the IBM Tivoli Access Manager Base CD for the supported AIX, HP-UX, HP-UX on Integrity, Solaris, Solaris on x86_64, Linux on x86, Linux on System z, Linux on POWER, Windows 2003, Windows Vista and Windows XP platforms. The installation wizard begins by prompting you for configuration information as described in install_amjrte on page 397. Supply the required configuration information, or accept default values. 7. Compare the disk space that is required to install the Access Manager Runtime for Java component with the disk space that is available. If there is sufficient space, continue the installation. After reviewing the summary and accepting your installation selections and configuration choices, the components are installed and configured without further intervention. This step completes the setup of Tivoli Access Manager Access Manager Runtime for Java. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
174

The following sections enable you to install Tivoli Access Manager software using a familiar platform-specific utility. Unlike automated installation wizards, you must manually install each component and any prerequisite software in the appropriate order. To configure software packages after installation, use the pdjrtecfg utility. Note: If the Access Manager Runtime component is installed on this system, you can use either the pdconfig or pdjrtecfg utility to configure the Access Manager Runtime for Java component. Complete the instructions that apply to your operating system: v AIX on page 175 v v v v HP-UX on page 176 Linux on page 177 Solaris on page 178 Windows on page 180
AIX: Installing Access Manager Runtime for Java

The following procedure uses installp to install Access Manager Runtime for Java and the pdjrtecfg utility to configure it. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it. 4. Install the Tivoli Access Manager packages:
where cd_mount_point is the directory where the CD is mounted and packages are as follows: PD.lic PDJ.rte Specifies the Access Manager License package. Specifies the Access Manager Runtime for Java package.
5. Ensure that either IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager or the JRE provided with WebSphere Application Server 6.1 is installed. For instructions on installing IBM Java Runtime 1.5.0 SR5, see page 318. Access Manager Runtime for Java configures additional security features into the specified JRE and only these two JREs are supported. 6. Unmount the CD. 7. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 8. To set up a Tivoli Access Manager Runtime for Java system with a configuration type of Full, ensure that both the policy server and registry server are running. If the configuration type is standalone, this step is not required.
175
9. Before configuring the Access Manager Runtime for Java component, ensure that either the IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager or the JRE provided with WebSphere Application Server 6.1 can be located using the PATH environment variable. 10. To configure the Access Manager Runtime for Java component, change to the /opt/PolicyDirector/sbin directory and enter the following:
./pdjrtecfg -action config -interactive
This step completes the setup of the Tivoli Access Manager Access Manager Runtime for Java component. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
HP-UX: Installing Access Manager Runtime for Java

The following procedure uses swinstall to install the Tivoli Access Manager Runtime for Java system and the pdjrtecfg utility to configure it. To install and configure Access Manager Runtime for Java on HP-UX or HP-UX on Integrity, follow these steps. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert the CD for your platform: v IBM Tivoli Access Manager Base for HP-UX v IBM Tivoli Access Manager Base for HP-UX on Integrity. 4. Mount the CD using the HP-UX mount command. For example, enter the following command:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. 5. Install the Tivoli Access Manager packages: v For HP_UX:
where /cd-rom/hp is the installation directory to install the Access Manager Runtime for Java package and packages are as follows: PDlic v Specifies the Access Manager License package.
PDJrte Specifies the Access Manager Runtime for Java package. For HP-UX on Integrity:
where /cd-rom/hp_ia64 is the installation directory to install the Access Manager Runtime for Java package and packages are as follows: PDlic Specifies the Access Manager License package.
PDJrte Specifies the Access Manager Runtime for Java package. 6. Ensure that either IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed. For instructions on installing IBM Java Runtime 1.5.0 SR5, see page 319.
176
Access Manager Runtime for Java configures additional security features into the specified JRE and only IBM Java Runtime 1.5.0 SR5 is supported on HP-UX systems. 7. Unmount the CD as follows:
umount /cd-rom
8.
9.
10.
11.
where /cd-rom is the mount point. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. To set up Access Manager Runtime for Java with a configuration type of Full, ensure that both the policy server and registry server are running. If the configuration type is standalone, this step is not required. Before configuring the Access Manager Runtime for Java component, ensure that either the IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager or the JRE provided with WebSphere Application Server 6.1 can be located using the PATH environment variable. To configure the Access Manager Runtime for Java component, change to the /opt/PolicyDirector/sbin directory and enter the following:
Linux: Installing Access Manager Runtime for Java

The following procedure uses rpm to install the Tivoli Access Manager Runtime for Java system and the pdjrtecfg utility to configure it. To install Access Manager Runtime for Java on Linux, follow these steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files which are located in the /CD_mount_point/linux_s390 directory on the IBM Tivoli Access Manager Base for Linux on System z CD. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert the IBM Tivoli Access Manager Base for Linux on x86 , IBM Tivoli Access Manager Base for Linux on System z, or IBM Tivoli Access Manager Base for Linux on POWER CD and mount it. 4. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86, linux_ppc for POWER, or linux_s390 for System z. 5. Install the Access Manager Runtime for Java package:
rpm -ihv package
where package is one of the following:
177
Linux on x86 Access Manager License package Access Manager Runtime for Java package PDlic-PD-6.1.1.0-0.i386.rpm PDJrte-PD-6.1.1.0-0.i386.rpm
Linux on System z PDlic-PD-6.1.1.0-0.s390.rpm PDJrte-PD-6.1.1.0-0.s390.rpm
Linux on POWER PDlic-PD-6.1.1.0-0.ppc.rpm PDJrte-PD-6.1.1.0-0.ppc.rpm
6. Ensure that either IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager or the JRE provided with WebSphere Application Server 6.1 is installed. For instructions on installing IBM Java Runtime 1.5.0 SR5, see page 320. Access Manager Runtime for Java configures additional security features into the specified JRE and only these two JREs are supported. 7. Unmount the CD. 8. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 9. To set up Access Manager Runtime for Java with a configuration type of Full, ensure that both the policy server and registry server are running. If the configuration type is standalone, this step is not required. 10. Before configuring the Access Manager Runtime for Java component, ensure that either the IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager or the JRE provided with WebSphere Application Server 6.1 can be located using the PATH environment variable. 11. To configure the Access Manager Runtime for Java component, change to the /opt/PolicyDirector/sbin directory and enter the following:
Solaris: Installing Access Manager Runtime for Java

The following procedure uses pkgadd to install the Access Manager Runtime for Java package and the pdjrtecfg utility to configure it. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. To install and configure Access Manager Runtime for Java on Solaris, follow these steps. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert the CD for your platform: v IBM Tivoli Access Manager Base for Solaris v IBM Tivoli Access Manager Base for Solaris on x86_64
178
4. Install the Tivoli Access Manager packages: v For Solaris:

where /cdrom/cdrom0/solaris Specifies the location of the package. /cdrom/cdrom0/solaris/pddefault Specifies the location of the installation administration script. and packages are as follows: PDlic Specifies the Access Manager License package.
PDJrte Specifies the Access Manager Runtime for Java package. v For Solaris on x86_64:
where /cdrom/cdrom0/solaris_x86 Specifies the location of the package. /cdrom/cdrom0/solaris_x86/pddefault Specifies the location of the installation administration script . and packages are as follows: PDlic 5. Specifies the Access Manager License package.
6.
7.
8.
9.
PDJrte Specifies the Access Manager Runtime for Java package. Ensure that either IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager or the JRE provided with WebSphere Application Server 6.1 is installed. For instructions on installing IBM Java Runtime 1.5.0 SR5, see page 321. Access Manager Runtime for Java configures additional security features into the specified JRE and only these two JREs are supported. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. To set up Access Manager Runtime for Java with a configuration type of Full, ensure that both the policy server and registry server are running. If the configuration type is standalone, this step is not required. Before configuring the Access Manager Runtime for Java component, ensure that either the IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager or the JRE provided with WebSphere Application Server 6.1 can be located using the PATH environment variable. To configure the Access Manager Runtime for Java component, change to the /opt/PolicyDirector/sbin directory and enter the following:
179
Windows: Installing Access Manager Runtime for Java

The following procedure uses the setup.exe program to install the Access Manager Runtime for Java package and the pdjrtecfg utility to configure it. To install and configure a Tivoli Access Manager Runtime for Java system on Windows 2003, Windows Vista or Windows XP, follow these steps. 1. Log on as a user with Administrator group privileges. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert the IBM Tivoli Access Manager Base for Windows CD. 4. Install the Tivoli Access Manager packages. To do so, run the setup.exe file, located in the following directory:
Follow the online instructions and select to install the following packages: v Access Manager License v Access Manager Runtime for Java 5. Ensure that either IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager or the JRE provided with WebSphere Application Server 6.1 is installed. For instructions on installing IBM Java Runtime 1.5.0 SR5, see page 321. Access Manager Runtime for Java configures additional security features into the specified JRE and only these two JREs are supported. 6. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 7. To set up Access Manager Runtime for Java with a configuration type of Full, ensure that both the policy server and registry server are running. If the configuration type is standalone, this step is not required. 8. To configure the Access Manager Runtime for Java component, change to the c:\Program Files\Tivoli\Policy Director\sbin directory and enter the following:
pdjrtecfg -action config -interactive
180
Chapter 8. Setting up a policy proxy server system

This chapter provides information about installing and configuring a Tivoli Access Manager policy proxy server system. You can set up this system using one of the following installation methods: v Installing using the installation wizard v Installing using native utilities on page 182 Notes: 1. Tivoli Access Manager does not consider the registry native password policies when creating server accounts during configuration. The registry native password policies might cause server configuration failure. During configuration, disable the registry native policies, such as LDAP default or global policies, that might affect new server accounts. After you create the accounts, set policies such that the accounts are not affected when you enable the disabled policies. For LDAP registries, do not enable pwdMustChange during configuration. You do not have to enable pwdMustChange after configuration because Tivoli Access Manager does not update server accounts. Ensure that LDAP pwdMaxAge does not cause Tivoli Access Manager server accounts to expire after configuration. Tivoli Access Manager generates strong passwords that are 8 - 20 characters long and contain at least one uppercase, one lowercase, and one number. But if the registry password policies are sufficiently restrictive, Tivoli Access Manager configuration might fail when setting the generated password. So disable the registry password policies during configuration. 2. During Tivoli Access Manager configuration on Linux operating systems, scripts may fail to run, stating that /bin/ksh was not found. On certain versions of SUSE Linux Enterprise Server, Yast-based installation does not install the Korn shell at /bin/ksh. Install the pdksh rpm that matches the hardware on which you are installing Tivoli Access Manager. The appropriate rpm can be found on either the SUSE Linux Enterprise Server installation media, or downloaded from the SUSE Linux Enterprise Server or Novell support web sites.

The install_amproxy installation wizard simplifies the setup of a Tivoli Access Manager policy proxy server system by installing and configuring the following components in the appropriate order: v v v v v v v IBM Global Security Kit (GSKit) IBM Tivoli Directory Server base client (as needed) IBM Tivoli Directory Server 32-bit client (as needed) Tivoli Security Utilities Tivoli Access Manager Access Manager License Tivoli Access Manager Access Manager Runtime Access Manager Policy Proxy Server
Note: The wizard detects if a component is installed and does not attempt to reinstall it.
181
Attention: v If you are installing on a Red Hat Enterprise Linux 5 operating system and Security-Enhanced Linux (SELinux) is enabled, you must disable it before installing using the installation wizard. Once you have completed installation and configuration, you can re-enable SELinux and continue to use it. If you do not want to disable SELinux, install using native utilities. v If your system hangs after issuing the wizard command or if a Java error message occurs after issuing the wizard command, ensure that Java is correctly installed. To install and configure a policy proxy server system using the install_amproxy wizard, follow these steps: 1. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 2. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed and can be located using the PATH environment variable before running the installation wizard. For instructions, see page 318. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. To view status and messages in a language other than English, which is the default, install a language support package before running an installation wizard. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 5. On Windows systems only, exit from all running programs. 6. Run the install_amproxy program, located in the root directory on the IBM Tivoli Access Manager Base CD for the supported AIX, HP-UX, HP-UX on Integrity, Solaris, Solaris on x86_64, Linux on x86, Linux on POWER, Linux on System z, or Windows 2003 platforms. The installation wizard begins by prompting you for configuration information as described in install_amproxy on page 404. Supply the required configuration information, or accept default values. 7. Compare the disk space that is required to install all of the Tivoli Access Manager policy proxy server components and prerequisites with the disk space that is available. If there is sufficient space, continue the installation. After reviewing the summary and accepting your installation selections and configuration choices, the components are installed and configured without further intervention. This step completes the setup of a Tivoli Access Manager policy proxy server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.

The following sections enable you to install Tivoli Access Manager software using a familiar platform-specific utility. Unlike automated installation wizards, you must manually install each component and any prerequisite software in the appropriate order. To configure software packages after installation, use the pdconfig utility. Complete the instructions that apply to your operating system:
182
v v v v v
AIX on page 183 HP-UX on page 184 Linux on page 185 Solaris on page 187 Windows on page 188
AIX: Installing a policy proxy server

The following procedure uses installp to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager policy proxy server system, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 312. 6. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 327. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 323. 8. Install the Tivoli Access Manager packages:
where cd_mount_point is the directory where the CD is mounted and packages are as follows: PD.lic PD.RTE PD.MgrProxy Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Proxy Policy Server package.
9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Configure the Access Manager Runtime followed by the Access Manager Policy Proxy Server package as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time.
183
Depending on the package that you selected, you are prompted for configuration options. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447. When a message is displayed that indicates the package has been successfully configured, press Enter to configure another package or select the x option twice to close the configuration utility. This step completes the setup of a Tivoli Access Manager policy proxy server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
HP-UX: Installing a policy proxy server

The following procedure uses swinstall to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager policy proxy server system, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the CD for your operating system v IBM Tivoli Access Manager Base for HP-UX v IBM Tivoli Access Manager Base for HP-UX on Integrity 5. Mount the CD using the HP-UX mount command. For example, enter the following:
where /cd-rom/hp is the directory where the CD is mounted and packages are as follows: PDlic PDRTE Specifies the Access Manager License package. Specifies the Access Manager Runtime package.
PDMgrPrxy Specifies the Access Manager Policy Proxy Server package. v For HP-UX on Integrity
184
where /cd-rom/hp_ia64 is the directory and packages are as follows: PDlic PDRTE Specifies the Access Manager License package. Specifies the Access Manager Runtime package.
PDMgrPrxy Specifies the Access Manager Policy Proxy Server package. 10. Unmount the CD as follows:
umount /cd-rom
where /cd-rom is the mount point. 11. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 12. Configure the Access Manager Runtime followed by the Access Manager Policy Proxy Server package as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time. Depending on the package that you selected, you are prompted for configuration options. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447. When a message is displayed that indicates the package has been successfully configured, press Enter to configure another package or select the x option twice to close the configuration utility. This step completes the setup of a Tivoli Access Manager policy proxy server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Linux: Installing a policy proxy server

The following procedure uses rpm to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager policy proxy server system, follow these steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files which are located in the /CD_mount_point/linux_s390 directory on the IBM Tivoli Access Manager Base for Linux on System z CD. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode).
185
4. Insert the IBM Tivoli Access Manager Base for Linux on x86, IBM Tivoli Access Manager Base for Linux on POWER, or the IBM Tivoli Access Manager Base for Linux on System z CD and mount it. 5. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86, linux_ppc for POWER, or linux_s390 for System z. 6. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 313. 7. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 329. 8. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 324. 9. Install the Tivoli Access Manager packages:
rpm -ihv packages

PDRTE-PD-6.1.1.0-0.s390.rpm PDRTE-PD-6.1.1.0-0.ppc.rpm PDMgrPrxy-PD-6.1.1.00.s390.rpm PDMgrPrxy-PD-6.1.1.00.ppc.rpm
Access Manager Policy PDMgrPrxy-PD-6.1.1.0Proxy Server package 0.i386.rpm
10. Unmount the CD. 11. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 12. Configure the Access Manager Runtime followed by the Access Manager Policy Proxy Server package as follows: a. Start the configuration utility:
pdconfig
186
Solaris: Installing a policy proxy server

The following procedure uses pkgadd to install software packages and the pdconfig utility to configure them. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. To install a Tivoli Access Manager policy proxy server system, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the CD for your platform: v IBM Tivoli Access Manager Base for Solaris v IBM Tivoli Access Manager Base for Solaris on x86_64 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 314. 6. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 330. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 325. 8. Install the Tivoli Access Manager packages (one at a time): v For Solaris:
where: /cdrom/cdrom0/solaris Specifies the location of the package. /cdrom/cdrom0/solaris/pddefault Specifies the location of the installation administration script. and where the packages are as follows: PDlic PDRTE Specifies the Access Manager License package. Specifies the Access Manager Runtime package.
PDMgrPrxy Specifies the Access Manager Policy Proxy Server package. v For Solaris on x86_64
where: /cdrom/cdrom0/solaris_x86 Specifies the location of the package.
187
/cdrom/cdrom0/solaris_x86/pddefault Specifies the location of the installation administration script. and where the packages are as follows: PDlic PDRTE Specifies the Access Manager License package. Specifies the Access Manager Runtime package.
PDMgrPrxy Specifies the Access Manager Policy Proxy Server package. When the installation process is complete for each package, the following message is displayed:
9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Configure Access Manager Runtime followed by the Access Manager Policy Proxy Server package as follows: a. Start the configuration utility:
pdconfig
Windows: Installing a policy proxy server

The following procedure uses the setup.exe program to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager policy proxy server system on Windows 2003, follow these steps: 1. Log on as a user with Administrator group privileges. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 3. Ensure that the registry server and policy server are up and running (in normal mode).
188
4. Insert the IBM Tivoli Access Manager Base for Windows CD. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 315. 6. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 331. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 326. 8. Install the Tivoli Access Manager packages. To do so, run the setup.exe program located in the following directory:
Follow the online instructions and select to install the following packages: v Access Manager License v Access Manager Runtime v Access Manager Policy Proxy Server 9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Configure the Access Manager Runtime package followed by the Access Manager Policy Proxy Server package as follows: a. Start the configuration utility:
pdconfig
The Access Manager Configuration window is displayed. b. Select the Access Manager Runtime package and click Configure. c. Select the Access Manager Policy Proxy Server package and click Configure. Depending on the package that you selected, you are prompted for configuration options. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447. This step completes the setup of a Tivoli Access Manager policy proxy server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
189
190
Chapter 9. Setting up a runtime system

This chapter provides information about installing and configuring a Tivoli Access Manager runtime system. You can set up this system using one of the following installation methods: v Installing using the installation wizard v Installing using native utilities on page 193 Note: During Tivoli Access Manager configuration on Linux operating systems, scripts may fail to run, stating that /bin/ksh was not found. On certain versions of SUSE Linux Enterprise Server, Yast-based installation does not install the Korn shell at /bin/ksh. Install the pdksh rpm that matches the hardware on which you are installing Tivoli Access Manager. The appropriate rpm can be found on either the SUSE Linux Enterprise Server installation media, or downloaded from the SUSE Linux Enterprise Server or Novell support web sites.

The install_amrte installation wizard simplifies the setup of a Tivoli Access Manager runtime system by installing and configuring the following components in the appropriate order: v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server base client (as needed) v IBM Tivoli Directory Server 32-bit client (as needed) v Tivoli Security Utilities v Tivoli Access Manager Access Manager License v Tivoli Access Manager Access Manager Runtime Notes: 1. The wizard detects if a component is installed and does not attempt to reinstall it. 2. If you plan to implement a policy server system, use the install_ammgr utility to install the runtime system. Do not use the install_amrte utility. Attention: v If you are installing on a Red Hat Enterprise Linux 5 operating system and Security-Enhanced Linux (SELinux) is enabled, you must disable it before installing using the installation wizard. Once you have completed installation and configuration, you can re-enable SELinux and continue to use it. If you do not want to disable SELinux, install using native utilities. v If your system hangs after issuing the wizard command or if a Java error message occurs after issuing the wizard command, ensure that Java is correctly installed. To install and configure a runtime system using the install_amrte wizard, follow these steps:
191
1. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 2. Ensure that the registry server and policy server are up and running (in normal mode). 3. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed and can be located using the PATH environment variable before running the installation wizard. For instructions, see page 318. 4. To view status and messages in a language other than English, which is the default, install a language support package before running an installation wizard. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 5. On Windows systems only, exit from all running programs. 6. Run the install_amrte program, located in the root directory on the IBM Tivoli Access Manager Base CD for the supported AIX, HP-UX, HP-UX on Integrity, Solaris, Solaris on x86_64, Linux on x86, Linux on POWER, Linux on System z, and Windows 2003, Windows XP and Windows Vista platforms. The installation wizard begins by prompting you for configuration information as described on page 378 (LDAP), page 382 (Active Directory), or page 389 (Domino). Supply the required configuration information, or accept default values. 7. Compare the disk space that is required to install all of the Tivoli Access Manager runtime system components and prerequisites with the disk space that is available. If there is sufficient space, continue the installation. After reviewing the summary and accepting your installation selections and configuration choices, the components are installed and configured without further intervention. This step completes the setup of a Tivoli Access Manager runtime system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
192

The following sections enable you to install Tivoli Access Manager software using a familiar platform-specific utility. Unlike automated installation wizards, you must manually install each component and any prerequisite software in the appropriate order. To configure software packages after installation, use the pdconfig utility. Complete the instructions that apply to your operating system: v v v v v AIX on page 193 HP-UX on page 194 Linux on page 195 Solaris on page 197 Windows on page 199
AIX: Installing Access Manager Runtime

The following procedure uses installp to install software packages and the pdconfig utility to configure them. To install the Tivoli Access Manager runtime system, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 312. 6. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 327. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 323. 8. Install the Tivoli Access Manager packages:
where cd_mount_point is the directory where the CD is mounted and packages are as follows: PD.lic Specifies the Access Manager License package.
PD.RTE Specifies the Access Manager Runtime package. 9. Unmount the CD 10. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 11. Configure the Access Manager Runtime package as follows: a. Start the configuration utility:
pdconfig
193
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time. For assistance with configuration options, see Chapter 22, pdconfig options, on page 447. When a message is displayed that indicates the package has been successfully configured, press Enter to configure another package or select the x option twice to close the configuration utility. This step completes the setup of a Tivoli Access Manager runtime system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
HP-UX: Installing Access Manager Runtime

The following procedure uses swinstall to install software packages and the pdconfig utility to configure them. To install Tivoli Access Manager on HP-UX or HP-UX on Integrity, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the CD for your platform: v IBM Tivoli Access Manager Base for HP-UX v IBM Tivoli Access Manager Base for HP-UX on Integrity 5. Mount the CD using the HP-UX mount command. For example, enter the following:
6. 7. 8. 9.
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 312. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 328. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 323. Install the Tivoli Access Manager packages: v For HP-UX:
where /cd-rom/hp is the directory where the CD is mounted and packages are as follows: PDlic Specifies the Access Manager License package.
PDRTE Specifies the Access Manager Runtime package. v For HP-UX on Integrity
194
where /cd-rom/hp_ia64 is the directory and packages are as follows: PDlic Specifies the Access Manager License package.
PDRTE Specifies the Access Manager Runtime package. 10. Unmount the CD as follows:
umount /cd-rom
where /cd-rom is the mount point. 11. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 12. Configure the Access Manager Runtime package as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. Select the menu number of the package that you want to configure. For assistance with configuration options, see Chapter 22, pdconfig options, on page 447. When a message is displayed that indicates the package has been successfully configured, select the x option twice to close the configuration utility. This step completes the setup of a Tivoli Access Manager runtime system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Linux: Installing Access Manager Runtime

The following procedure uses rpm to install software packages and the pdconfig utility to configure them. To install Tivoli Access Manager packages on Linux, follow these steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files which are located in the /CD_mount_point/linux_s390 directory on the IBM Tivoli Access Manager Base for Linux on System z CD. 1. Log on as root. 2. Ensure that the registry server and policy server are up and running (in normal mode). 3. Insert the IBM Tivoli Access Manager Base for Linux on x86, IBM Tivoli Access Manager Base for Linux on System z, or IBM Tivoli Access Manager Base for Linux on POWER CD and mount it. 4. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86, linux_ppc for POWER, or linux_s390 for System z. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 313.
195
6. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 329. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 324. 8. Install the Tivoli Access Manager packages:
rpm -ihv packages

PDRTE-PD-6.1.1.0-0.s390.rpm PDRTE-PD-6.1.1.0-0.ppc.rpm
9. Unmount the CD. 10. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 11. Configure the Access Manager Runtime package as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. When a message is displayed that indicates the package has been successfully configured, select the x option twice to close the configuration utility. This step completes the setup of a Tivoli Access Manager runtime system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Starting Tivoli Access Manager components on SUSE Linux Enterprise Server 10

After you install Tivoli Access Manager on a SUSE Linux Enterprise Sever 10 system, the components do not start automatically when you restart the system. You must complete the steps described here to start the components. 1. Locate and remove the following files: v /etc/init.d/rc0.d/K005pd v /etc/init.d/rc3.d/S590pd v /etc/init.d/rc5.d/S590pd 2. Enable editing of the /opt/PolicyDirector/bin/pd_start file by running the following command:
chmod +w /opt/PolicyDirector/bin/pd_start
3. Add the following lines after the first line in the /opt/PolicyDirector/bin/ pd_start file:
### BEGIN INIT INFO # Provides: pd # Required-Start: $network # Required-Stop:
196
# Default-Start: 3 5 # Default-Stop: # Description: Script to start and stop Tivoli Access Manager. ### END INIT INFO
4. Run the following command to enable Tivoli Access Manager servers to start during system startup:
chkconfig pd on
This command creates the following start and stop script links:
lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx 1 1 1 1 root root root root root root root root 5 5 5 5 Mar Mar Mar Mar 15 15 15 15 16:11 16:11 16:11 16:11 /etc/init.d/rc3.d/K16pd /etc/init.d/rc3.d/S06pd /etc/init.d/rc5.d/K16pd /etc/init.d/rc5.d/S06pd -> -> -> -> ../pd ../pd ../pd ../pd
Notes: 1. Run the following command before uninstalling Tivoli Access Manager runtime from your computer:
chkconfig pd off
2. If Tivoli Directory Server is installed on the same computer as Tivoli Access Manager, add Tivoli Directory Server to the # Required-Start: line of the /opt/PolicyDirector/bin/pd_start file. Run the following commands in this order: a. chkconfig pd off b. chkconfig pd on Running these commands ensures that the Tivoli Access Manager log files do not have messages indicating that the LDAP server has failed and recovered.
Solaris: Installing Access Manager Runtime

The following procedure uses pkgadd to install software packages and the pdconfig utility to configure them. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. To install a Tivoli Access Manager package, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the CD for your platform: v IBM Tivoli Access Manager Base for Solaris v IBM Tivoli Access Manager Base for Solaris on x86_64 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 314. 6. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 330. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 325.
197
8. Install the Tivoli Access Manager packages: v For Solaris:

where: /cdrom/cdrom0/solaris Specifies the location of the package. /cdrom/cdrom0/solaris/pddefault Specifies the location of the installation administration script. and packages are as follows: PDlic Specifies the Access Manager License package.
PDRTE Specifies the Access Manager Runtime package. v For Solaris on x86_64:
where: /cdrom/cdrom0/solaris_x86 Specifies the location of the package. /cdrom/cdrom0/solaris_x86/pddefault Specifies the location of the installation administration script. and packages are as follows: PDlic Specifies the Access Manager License package.
PDRTE Specifies the Access Manager Runtime package. When the installation process is complete for each package, the following message is displayed:
9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Configure the Access Manager Runtime package as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure. For assistance with configuration options, see Chapter 22, pdconfig options, on page 447. When a message is displayed that indicates the package has been successfully configured, press Enter to configure another package or select the x option twice to close the configuration utility.
198
This step completes the setup of a Tivoli Access Manager runtime system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Windows: Installing Access Manager Runtime

The following procedure uses the setup.exe program to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager runtime system on Windows 2003, Windows Vista or Windows XP, follow these steps: 1. Log on as any member of the Administrators group. 2. Log on as a user with administrator privileges. 3. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 4. Ensure that the registry server and policy server are up and running (in normal mode). 5. Insert the IBM Tivoli Access Manager Base for Windows CD. 6. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 315. 7. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 331. 8. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 326. 9. Install the Tivoli Access Manager packages. To do so, run the setup.exe program located in this directory:
Follow the online instructions and select to install the following packages: v Access Manager License v Access Manager Runtime 10. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 11. Configure the Access Manager Runtime package as follows: a. Start the configuration utility:
pdconfig
The Access Manager Configuration window is displayed. b. Select the Access Manager Runtime package and click Configure. You are prompted for configuration options. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447. This step completes the setup of a Tivoli Access Manager runtime system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
199
200
Chapter 10. Setting up a Web Portal Manager system

This chapter provides information about installing and configuring a Tivoli Access Manager Web Portal Manager (WPM) system. You can set up this system using one of the following installation methods: v Installing using the installation wizard v Installing using native utilities on page 203 Before you begin, review the following information: v During Tivoli Access Manager configuration on Linux operating systems, scripts may fail to run, stating that /bin/ksh was not found. On certain versions of SUSE Linux Enterprise Server, Yast-based installation does not install the Korn shell at /bin/ksh. Install the pdksh rpm that matches the hardware on which you are installing Tivoli Access Manager. The appropriate rpm can be found on either the SUSE Linux Enterprise Server installation media, or downloaded from the SUSE Linux Enterprise Server or Novell support web sites. v If any IBM WebSphere Application Server patches or fix packs are applied that modify the PD.jar file, then you must also unconfigure and reconfigure Access Manager Runtime for Java to use the PD.jar file shipped with Tivoli Access Manager 6.1.1. v If you reinstall or reconfigure the Tivoli Access Manager policy server, you must also unconfigure and reconfigure the Access Manager Runtime for Java component, which is a prerequisite component on a Web Portal Manager system. v If security is enabled in WebSphere, you will be prompted for a Trust Store file and an SSL Key file during Web Portal Manager installation. These files use the .jks format by default. If you wish to use files in the PKCS12 format, you must modify the soap.client.props file found in the following directory:
<user_install_root>/properties
You can find the value of user_install_root by clicking Environment > WebSphere Variables in the WebSphere Administrative console for the WebSphere node on which the WebSphere Portal manager installation is being run. In the soap.client.props file, add the lines:
com.ibm.ssl.keyStoreType=PKCS12 com.ibm.ssl.trustStoreType=PKCS12
Note: You can verify that the Web Portal Manager configuration is using the intended soap.client.props file when running the amwpmcfg utility by using the -debug option and checking the message:
DEBUG: SOAP client props file =

The install_amwpm installation wizard simplifies the setup of a Tivoli Access Manager Web Portal Manager system by installing and configuring the following components in the appropriate order: v IBM WebSphere Application Server, including IBM HTTP Server
201
v Access Manager License v Access Manager Runtime for Java v Access Manager Web Portal Manager The Web Portal Manager installation wizard detects if a component is installed and does not attempt to reinstall it. If a compatible version of WebSphere Application Server is detected by the wizard, you will be given the choice to use that version or have the wizard install a new one. If you choose to use the existing WebSphere Application Server, ensure you also have the plug-ins and HTTP server installed and working properly before continuing with the wizard. If you do not have a working HTTP server, choose the native install method to install the Web Portal Manager. Attention: v If you are installing on a Red Hat Enterprise Linux 5 operating system and Security-Enhanced Linux (SELinux) is enabled, you must disable it before installing using the installation wizard. Once you have completed installation and configuration, you can re-enable SELinux and continue to use it. If you do not want to disable SELinux, install using native utilities. v If your system hangs after issuing the wizard command or if a Java error message occurs after issuing the wizard command, ensure that Java is correctly installed. To install and configure a Web Portal Manager system using the install_amwpm wizard, follow these steps. 1. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 2. Ensure that the registry server and policy server are up and running (in normal mode). 3. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed and can be located using the PATH environment variable before running the installation wizard. For instructions on installing IBM Java Runtime 1.5.0 SR5, see page 318. 4. Ensure that you have a supported Web browser installed on a system in your secure domain. Web Portal Manager supports: v Microsoft Internet Explorer 5.5, 6.0 and 7.50 v Mozilla 1.7 5. To view status and messages in a language other than English, which is the default, install a language support package before running an installation wizard. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 6. On Windows systems only, exit from all running programs. 7. Run the install_amwpm program, located in the root directory on the IBM Tivoli Access Manager Base CD for AIX, HP-UX, PH-UX on Integrity, Linux on x86, Linux on System z, Linux on POWER, Solaris, Solaris on x86_64 and Windows 2003 platforms. The installation wizard begins by prompting you for configuration information as described in install_amwpm on page 439. Supply the required configuration information, or accept default values.
202
If a compatible version of WebSphere Application Server is detected by the wizard, you will be given the choice to use that version or have the wizard install a new one. If you choose to use the existing WebSphere Application Server, ensure you also have the plug-ins and HTTP server installed and working properly before continuing with the wizard. If you do not have a working HTTP server, choose the native install method to install the Web Portal Manager. 8. Compare the disk space that is required to install all of the Web Portal Manager components and prerequisites with the disk space that is available. If there is sufficient space, continue the installation. After reviewing the summary and accepting your installation selections and configuration choices, the components are installed and configured without further intervention. 9. If WebSphere Application Server was not installed by the install_amwpm program, stop and restart the server where Web Portal Manager was installed. For example, to restart server1: AIX, HP-UX and HP-UX on Integrity
/usr/WebSphere/AppServer/bin/stopServer.sh server1 /usr/WebSphere/AppServer/bin/startServer.sh server1
Linux, Solaris and Solaris on x86_64

/opt/IBM/WebSphere/AppServer/bin/stopServer.sh server1 /opt/IBM/WebSphere/AppServer/bin/startServer.sh server1
Windows
C:\Program Files\IBM\WebSphere\AppServer\bin\stopServer.bat server1 C:\Program Files\IBM\WebSphere\AppServer\bin\startServer.bat server1
10. To access the Web Portal Manager interface, enter the following address in your Web browser:
http://hostname:port/ibm/console
where hostname is the host name of the system and port where IBM WebSphere Application Server is running, and port is the port number being used, such as 9060. For example:
http://wpm14.example.com:9060/ibm/console
This step completes the setup of a Tivoli Access Manager Web Portal Manager system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. For information about Web Portal Manager administration tasks, see the IBM Tivoli Access Manager for e-business: Administration Guide. Note that Tivoli Access Manager does not provide a default certificate to enable Web Portal Manager to have a secure connection between the browser and the HTTP server used by WebSphere Application Server. If you purchase a certificate from a qualified certificate authority (CA), configure it into the Web Portal Manager environment.

The following sections enable you to install Tivoli Access Manager software using a familiar platform-specific utility. Unlike automated installation wizards, you must manually install each component and any prerequisite software in the appropriate order. To configure software packages after installation, use the pdjrtecfg and amwpmcfg utilities as described in the following procedures.
203
Complete the instructions that apply to your operating system: v AIX on page 204 v HP-UX on page 206 v Linux on page 208 v Solaris on page 211 v Windows on page 214
AIX: Installing a Web Portal Manager system

The following procedure uses installp to install software packages and the pdjrtecfg and amwpmcfg utilities to configure them. To install a Tivoli Access Manager Web Portal Manager system on AIX, complete the following steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Ensure that you have a supported Web browser installed on a system in your secure domain. Web Portal Manager supports: v Microsoft Internet Explorer 5.5, 6.0 and 7.0 v Mozilla 1.7 5. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed. For instructions, see page 318. 6. Install IBM WebSphere Application Server. For instructions, see page 333. 7. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it. 8. Install the Tivoli Access Manager packages:
where cd_mount_point is the directory where the CD is mounted and packages are as follows: PD.lic PDJ.rte PD.WPM Specifies the Access Manager License package. Specifies the Access Manager Runtime for Java package. Specifies the Access Manager Web Portal Manager package.
Note: These packages must be installed on the same system as IBM WebSphere Application Server. 9. Unmount the CD. 10. Optional: You can use the IBM WebSphere Application Server setupCmdLine script to reset environment variables, including the location of IBM Java Runtime, before configuring Access Manager Runtime for Java and Web Portal Manager. a. Run the which java command from the command line to show the default PATH settings being used. For example, the command shows that Java is currently being run from the /usr/bin/java directory.
204
b. To update the PATH environment variable and reset the JAV A_HOME variable, edit the setupCmdLine.sh file and change the environment variable as needed. c. Enter:
. /opt/IBM/WebSphere/AppServer/bin/setupCmdLine.sh
Set the JAV A_HOME variable to the Java Runtime Environment that has been configured for Access Manager Runtime for Java. The JAV A_HOME variable should be set to the top directory.
/opt/IBM/WebSphere/AppServer/java
11. To view status and messages for the Access Manager Runtime for Java component in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 12. Configure the Access Manager Runtime for Java component for use within the Java Runtime Environment installed with WebSphere. To do so, follow these steps: a. Stop the WebSphere Application Server and the IBM HTTP Server. b. Change to the /opt/PolicyDirector/sbin directory and enter the following command:
c. Select the Full configuration type. d. Specify the Java Runtime Environment that was installed with IBM WebSphere Application Server. For example:
/opt/IBM/WebSphere/AppServer/java/jre
e. Specify the policy server host name, port, and domain. For more information about this utility, see pdjrtecfg on page 579. 13. Restart the WebSphere Application Server and the IBM HTTP Server. To restart the WebSphere Application Server, run the startServer.sh script, located in the /opt/IBM/WebSphere/AppServer/bin directory as follows:
./stopServer.sh server1 ./startServer.sh server1
To restart the IBM HTTP Server, enter the following command:

/opt/IBM/HTTPServer/bin/apachectl restart
Note: If you installed a registry server that does not use IBM HTTP Server and you are installing Web Portal Manager on the same system, ensure that the Web server ports are different. To change the IBM HTTP Server default port, edit the /usr/HTTPServer/conf/httpd.conf file, change default port 80 to an unused port, such as 8080, and then restart the IBM HTTP Server.
# Port: The port the standalone listens to. Port 8080
14. Configure the Access Manager Web Portal Manager package by running the amwpmcfg command, located in the /opt/PolicyDirector/sbin/ directory as follows:
./amwpmcfg -action config -interactive
Specify the necessary configuration parameters, such as IBM WebSphere Application Server installation path, the policy server host name and port number, and the Tivoli Access Manager administrator ID and password.
205
For more information about this utility and all of its parameters, see amwpmcfg on page 557. 15. To access the Web Portal Manager interface, enter the following address in your Web browser:
This step completes the setup of a Tivoli Access Manager Web Portal Manager system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. For information about Web Portal Manager administration tasks, see the IBM Tivoli Access Manager for e-business: Administration Guide. Note that Tivoli Access Manager does not provide a default certificate to enable Web Portal Manager to have a secure connection between the browser and the HTTP server used by WebSphere Application Server. Purchase a CA certificate and then configure it into the Web Portal Manager environment.
HP-UX: Installing a Web Portal Manager system

The following procedure uses swinstall to install software packages and the pdjrtecfg and amwpmcfg utilities to configure them. To install a Tivoli Access Manager Web Portal Manager system on HP-UX or HP-UX on Integrity, complete the following steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Ensure that you have a supported Web browser installed on a system in your secure domain. Web Portal Manager supports: v Microsoft Internet Explorer 5.5 and 6.0 v Mozilla 1.7 5. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed. For instructions, see page 319. 6. Install IBM WebSphere Application Server. For instructions, see page 334. 7. Insert the CD for your platform: v IBM Tivoli Access Manager Base for HP-UX v IBM Tivoli Access Manager Base for HP-UX on Integrity 8. Mount the CD using the HP-UX mount command. For example, enter the following:
where format specifies the device format, where /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. 9. Install the Tivoli Access Manager packages:
206
v For HP-UX:
where /cd-rom/hp specifies the directory and packages are as follows: PDlic PDJrte PDWPM Specifies the Access Manager License package. Specifies the Access Manager Runtime for Java package. Specifies the Access Manager Web Portal Manager package.
Note: These packages must be installed on the same system as IBM WebSphere Application Server. v For HP-UX on Integrity
where /cd-rom/hp_ia64 specifies the directory and packages are as follows: PDlic PDJrte PDWPM Specifies the Access Manager License package. Specifies the Access Manager Runtime for Java package. Specifies the Access Manager Web Portal Manager package.
Note: These packages must be installed on the same system as IBM WebSphere Application Server. 10. Unmount the CD as follows:
umount /cd-rom
where /cd-rom is the mount point. 11. Optional: You can use the IBM WebSphere setupCmdLine script to reset environment variables, including the location of the Java Runtime Environment, before configuring Access Manager Runtime for Java and Web Portal Manager. a. Run the which java command from the command line to show the default PATH settings being used. For example, the command shows that Java is currently being run from the /usr/bin/java directory. b. To update the PATH environment variable and reset the JAV A_HOME variable, edit the setupCmdLine.sh file and change the environment variable as needed. c. Enter:
/opt/IBM/WebSphere/AppServer/java
207
/usr/WebSphere/AppServer/java/jre
e. Specify the policy server host name, port, and domain. For more information about this utility, see pdjrtecfg on page 579. 14. Restart the WebSphere Application Server and the IBM HTTP Server. To restart the WebSphere Application Server, run the startServer.sh script, located in the /usr/WebSphere/AppServer/bin directory as follows:

/opt/IBMHTTPServer/apachectl restart
Note: If you installed a registry server that does not use IBM HTTP Server and you are installing Web Portal Manager on the same system, ensure that the Web server ports are different. To change the IBM HTTP Server default port, edit the /opt/IBMHTTPServer/conf/httpd.conf file, change default port 80 to 8080 as shown, and then restart the IBM HTTP Server.
15. Configure the Access Manager Web Portal Manager package:

Specify the necessary configuration parameters, such as IBM WebSphere Application Server installation path, the policy server host name and port number, and the Tivoli Access Manager administrator ID and password. For more information about this utility and all of its parameters, see amwpmcfg on page 557. 16. To access the Web Portal Manager interface, enter the following address in your Web browser:
Linux: Installing a Web Portal Manager system

The following procedure uses rpm to install software packages and the pdjrtecfg and amwpmcfg utilities to configure them.
208
To install a Tivoli Access Manager Web Portal Manager system on Linux, complete the following steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Ensure that you have a supported Web browser installed on a system in your secure domain. Web Portal Manager supports: v Microsoft Internet Explorer 5.5 and 6.0 v Mozilla 1.7 5. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed. For instructions, see page 320. Note: If you configure Web Portal Manager against Java Runtime Environments other than the Java Runtime Environment supported by Tivoli Access Manager, the configuration might fail. Install IBM WebSphere Application Server. For instructions, see page 335. Insert the IBM Tivoli Access Manager Base for Linux on x86, IBM Tivoli Access Manager Base for Linux on System z, or IBM Tivoli Access Manager Base for Linux on POWER CD and mount it. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86, linux_ppc for POWER, or linux_s390 for System z. Install the Tivoli Access Manager packages:
rpm -ihv packages
6. 7.
8.
9.

Linux on x86 Access Manager License package Access Manager Runtime for Java package Access Manager Web Portal Manager package PDlic-PD-6.1.1.0-0.i386.rpm PDJrte-PD-6.1.1.0-0.i386.rpm Linux on System z PDlic-PD-6.1.1.0-0.s390.rpm PDJrte-PD-6.1.1.0-0.s390.rpm Linux on POWER PDlic-PD-6.1.1.0-0.ppc.rpm PDJrte-PD-6.1.1.0-0.ppc.rpm
PDWPM-PD-6.1.1.0-0.i386.rpm
PDWPM-PD-6.1.1.00.s390.rpm
PDWPM-PD-6.1.1.00.ppc.rpm
Note: These packages must be installed on the same system as IBM WebSphere Application Server. 10. Unmount the CD. 11. Optional: You can use the IBM WebSphere setupCmdLine script to reset environment variables, including the location of the Java Runtime Environment, before configuring Access Manager Runtime for Java and Web Portal Manager. a. Run the which java command from the command line to show the default PATH settings being used. For example, the command shows that Java is currently being run from the /usr/bin/java directory.
209
b. To update the PATH environment variable and reset the JAV A_HOME variable, edit the setupCmdLine.sh file and change the environment variable as needed. c. Enter:
/opt/WebSphere/AppServer/java
/opt/WebSphere/AppServer/java/jre
e. Specify the policy server host name, port, and domain. For more information about this utility, see pdjrtecfg on page 579. 14. Restart the WebSphere Application Server and the IBM HTTP Server. To restart the IBM WebSphere Application Server, run the startServer.sh script, located in the /opt/IBM/WebSphere/AppServer/bin directory as follows:

/opt/IBM/HTTPServer/bin/apachectl restart
15. Configure the Access Manager Web Portal Manager package by running the amwpmcfg command, located in the /opt/PolicyDirector/sbin/ directory as follows:
Specify the necessary configuration parameters, such as IBM WebSphere Application Server installation path, the policy server host name and port number, and the Tivoli Access Manager administrator ID and password.
210
For more information about this utility and all of its parameters, see amwpmcfg on page 557. 16. To access the Web Portal Manager interface, enter the following address in your Web browser:
Solaris: Installing a Web Portal Manager system

The following procedure uses pkgadd to install software packages and the pdjrtecfg and amwpmcfg utilities to configure them. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. To install and configure a Web Portal Manager system on Solaris, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Ensure that you have a supported Web browser installed on a system in your secure domain. Web Portal Manager supports: v Microsoft Internet Explorer 5.5 and 6.0 v Mozilla 1.7 5. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed. For instructions, see page 321. 6. Install IBM WebSphere Application Server. For instructions, see page 336. 7. Insert the CD for your platform: v IBM Tivoli Access Manager Base for Solaris v IBM Tivoli Access Manager Base for Solaris on x86_64 8. Install the Tivoli Access Manager packages (one at a time): v For Solaris:
211
where: /cdrom/cdrom0/solaris Specifies the location of the package. /cdrom/cdrom0/solaris/pddefault Specifies the location of the installation administration script. and where packages are as follows: PDlic PDJrte PDWPM Specifies the Access Manager License package. Specifies the Access Manager Runtime for Java package. Specifies the Access Manager Web Portal Manager package.
Note: These packages must be installed on the same system as IBM WebSphere Application Server. v For Solaris on x86_64
where: /cdrom/cdrom0/solaris_x86 Specifies the location of the package. /cdrom/cdrom0/solaris_x86/pddefault Specifies the location of the installation administration script. and where packages are as follows: PDlic PDJrte PDWPM Specifies the Access Manager License package. Specifies the Access Manager Runtime for Java package. Specifies the Access Manager Web Portal Manager package.
Note: These packages must be installed on the same system as IBM WebSphere Application Server. 9. Optional: You can use the IBM WebSphere setupCmdLine script to reset environment variables, including the location of the Java Runtime Environment, before configuring Access Manager Runtime for Java and Web Portal Manager. a. Run the which java command from the command line to show the default PATH settings being used. For example, the command shows that Java is currently being run from the /usr/bin/java directory. b. To update the PATH environment variable and reset the JAV A_HOME variable, edit the setupCmdLine.sh file and change the environment variable as needed. c. Enter:
/opt/WebSphere/AppServer/java
212
/opt/WebSphere/AppServer/java/jre
e. Specify the policy server host name, port, and domain. For more information about this utility, see pdjrtecfg on page 579. 12. Restart the WebSphere Application Server and the IBM HTTP Server. To restart the WebSphere Application Server, run the startServer.sh script, located in the /opt/WebSphere/AppServer/bin directory as follows:

/opt/IBMHTTPServer/bin/apachectl restart
13. Configure the Access Manager Web Portal Manager package:

Specify the necessary configuration parameters, such as IBM WebSphere Application Server installation path, the policy server host name and port number, and the Tivoli Access Manager administrator ID and password. For more information about this utility and all of its parameters, see amwpmcfg on page 557. 14. To access the Web Portal Manager interface, enter the following address in your Web browser:
This step completes the setup of a Tivoli Access Manager Web Portal Manager system. To set up another Tivoli Access Manager system, follow the steps in the
213
Installation process on page 21. For information about Web Portal Manager administration tasks, see the IBM Tivoli Access Manager for e-business: Administration Guide. Note that Tivoli Access Manager does not provide a default certificate to enable Web Portal Manager to have a secure connection between the browser and the HTTP server used by WebSphere Application Server. Purchase a CA certificate and then configure it into the Web Portal Manager environment.
Windows: Installing a Web Portal Manager system

The following procedure uses setup.exe to install software packages and the pdjrtecfg and amwpmcfg utilities to configure them. To install and configure a Web Portal Manager system on Windows 2003, follow these steps: 1. Log on as any member of the Administrators group. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Ensure that you have a supported Web browser installed on a system in your secure domain. Web Portal Manager supports: v Microsoft Internet Explorer 5.5 and 6.0 v Mozilla 1.7 5. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed. For instructions, see page 321. 6. Install IBM WebSphere Application Server. See Windows: Installing WebSphere Application Server on page 336. 7. Insert the IBM Tivoli Access Manager Base for Windows CD. 8. Install the Tivoli Access Manager packages. To do so, run the setup.exe file located in the following directory:
Follow the online instructions and select to install the following packages: v Access Manager License v Access Manager Runtime for Java v Access Manager Web Portal Manager Note: These packages must be installed on the same system as IBM WebSphere Application Server. 9. Optional: You can use the IBM WebSphere setupCmdLine script to reset environment variables, including the location of the Java Runtime Environment, before configuring Access Manager Runtime for Java and Web Portal Manager. a. Run the which java command from the command line to show the default PATH settings being used. For example, the command shows that Java is currently being run from the C:\Program Files\IBM\WebSphere\ AppServer\java directory.
214
b. To update the PATH environment variable and reset the JAV A_HOME variable, edit the setupCmdLine.bat file and change the environment variable as needed. c. Enter:
C:\Program Files\IBM\WebSphere\AppServer\bin\setupCmdLine.bat
C:\Program Files\IBM\WebSphere\AppServer\java
10. To view status and messages for the Access Manager Runtime for Java component in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 11. Configure the Access Manager Runtime for Java component for use within the Java Runtime Environment installed with WebSphere. To do so, follow these steps: a. Stop the WebSphere Application Server and the IBM HTTP Server. b. Change to the install_dir\sbin directory (for example, C:\Program Files\Tivoli\Policy Director\sbin), and enter the following command:
pdjrtecfg -action config -interactive
c. Select the Full configuration type and click Next. For descriptions of the configuration options, click Help. d. Specify the Java Runtime Environment that was installed with IBM WebSphere Application Server. For example:
C:\Program Files\IBM\WebSphere\AppServer\java\jre
Click Next to continue. e. Specify the policy server host name, port, and domain. Click OK to start configuration. f. When configuration has completed successfully, click OK to exit the configuration utility. For more information about this utility, see pdjrtecfg on page 579. 12. Restart the IBM WebSphere Application Server and IBM HTTP Server. For example, select Start Settings Control Panel Administrative Tools and then double-click the Services icon to restart these servers. Note: If you installed a registry server that does not use IBM HTTP Server and you are installing Web Portal Manager on the same system, ensure that the Web server ports are different. To change the IBM HTTP Server default port, edit the C:\Program Files\IBMHTTPServer\conf\ httpd.conf file, change default port 80 to 8080 as shown, and then restart the IBM HTTP Server.
13. Configure the Access Manager Web Portal Manager package. To do so, follow these steps: a. Change to the install_dir\sbin directory (for example, C:\Program Files\Tivoli\Policy Director\sbin), and enter the following command:
amwpmcfg -action config -interactive
215
Specify the necessary configuration parameters, such as IBM WebSphere Application Server installation path, the policy server host name and port number, and the Tivoli Access Manager administrator ID and password. For more information about this utility and all of its parameters, see amwpmcfg on page 557. b. When configuration has completed successfully, click OK to exit the configuration utility. 14. To access the Web Portal Manager interface, enter the following address in your Web browser:
Configuring WebSphere Application Server security

You must configure the WebSphere Application Server security settings so that the Web Portal Manager single sign-on works properly. To configure the appropriate WebSphere Application Server security settings: 1. To launch the IBM Integrated Solutions Console, select Start All Programs IBM WebSphere Application Server <version> Profiles <profile name> Administrative console. 2. Click Security Secure administration, applications and infrastructure. 3. Expand Web security on the right to display: v General settings v single sign-on v Trust association Click General settings. Ensure that the Authenticate only when the URI is protected check box is selected. Select the Use available authentication data when an unprotected URI is accessed check box is selected. Click OK.
4. 5. 6. 7.
216
Part 3. Web security system installation

Chapter 11. Setting up the Access Manager Attribute Retrieval Service . . . . . . . . Installing using the installation wizard . . . . . Installing using native utilities. . . . . . . . AIX: Installing the Access Manager Attribute Retrieval Service . . . . . . . . . . . HP-UX: Installing the Access Manager Attribute Retrieval Service . . . . . . . . . . . Linux: Installing the Access Manager Attribute Retrieval Service . . . . . . . . . . . Solaris: Installing the Access Manager Attribute Retrieval Service . . . . . . . . . . . Windows: Installing the Access Manager Attribute Retrieval Service . . . . . . . . Chapter 12. Setting up the plug-in for Edge Server . . . . . . . . . . . . . . . Preinstallation requirements . . . . . . . . AIX: Installing the plug-in for Edge Server . . . Red Hat Enterprise Linux: Installing the plug-in for Edge Server . . . . . . . . . . . . . . Solaris: Installing the plug-in for Edge Server. . . Windows: Installing the plug-in for Edge Server Overview of the plug-in for Edge Server configuration . . . . . . . . . . . . . Server configuration model . . . . . . . . Server configuration concepts . . . . . . . Object space configuration model. . . . . . Single sign-on configuration model . . . . . Configuration procedure summary . . . . . Chapter 13. Setting up the plug-in for Web servers . . . . . . . . . . . . . . . Preinstallation requirements . . . . . . . . Installing using the installation wizard . . . . . Installing using native utilities. . . . . . . . Installing the plug-in for Apache Web Server AIX: plug-in for Apache Web Server. . . . Linux on System z: plug-in for Apache Web Server . . . . . . . . . . . . . . Solaris: plug-in for Apache Web Server . . . Installing the plug-in for IBM HTTP Server . . AIX: plug-in for IBM HTTP Server . . . . Linux: plug-in for IBM HTTP Server . . . Solaris: plug-in for IBM HTTP Server . . . Windows: plug-in for IBM HTTP Server . . Installing the plug-in for Internet Information Services . . . . . . . . . . . . . . Installing the plug-in for Sun Java System Web Server . . . . . . . . . . . . . . . AIX: plug-in for Sun Java System Web Server Solaris: plug-in for Sun Java System Web Server . . . . . . . . . . . . . . 219 219 220 220 221 222 223 223 Chapter 14. Setting up a Web security development system . . . . . . . . . Installing using the installation wizard . . . . Installing using native utilities. . . . . . . AIX: Installing a Web security development (ADK) system . . . . . . . . . . . HP-UX: Installing a Web security development (ADK) system . . . . . . . . . . . Linux: Installing a Web security development (ADK) system . . . . . . . . . . . Solaris: Installing a Web security development (ADK) system . . . . . . . . . . . Windows: Installing a Web security development (ADK) system . . . . . . . 259 . 259 . 260 . 261 . 262 . 263 . 264 . 265
225 225 226 227 228 230 231 232 233 235 236 237
Chapter 15. Setting up WebSEAL . . . . . . 267 Installing using the installation wizard . . . . . 267 Installing using native utilities. . . . . . . . 269 AIX: Installing WebSEAL . . . . . . . . 269 HP-UX: Installing WebSEAL . . . . . . . 270 Linux: Installing WebSEAL . . . . . . . . 272 Solaris: Installing WebSEAL . . . . . . . 273 Windows: Installing WebSEAL . . . . . . 275
239 239 241 242 242 242 244 245 247 247 249 250 252 253 254 254 256
217
218
Chapter 11. Setting up the Access Manager Attribute Retrieval Service

This chapter provides information about installing and configuring the Tivoli Access Manager Attribute Retrieval Service. You can set up this system using one of the following installation methods: v Installing using the installation wizard v Installing using native utilities on page 220 Note: During Tivoli Access Manager configuration on Linux operating systems, scripts may fail to run, stating that /bin/ksh was not found. On certain versions of SUSE Linux Enterprise Server, Yast-based installation does not install the Korn shell at /bin/ksh. Install the pdksh rpm that matches the hardware on which you are installing Tivoli Access Manager. The appropriate rpm can be found on either the SUSE Linux Enterprise Server installation media, or downloaded from the SUSE Linux Enterprise Server or Novell support web sites.

The install_amwebars installation wizard simplifies the setup of the Access Manager Attribute Retrieval Service by installing and configuring the following components: v IBM WebSphere Application Server, including the IBM HTTP Server v Access Manager Attribute Retrieval Service Note: The wizard detects if a component is installed and does not attempt to reinstall it. Attention: v If you are installing on a Red Hat Enterprise Linux 5 operating system and Security-Enhanced Linux (SELinux) is enabled, you must disable it before installing using the installation wizard. Once you have completed installation and configuration, you can re-enable SELinux and continue to use it. If you do not want to disable SELinux, install using native utilities. v If your system hangs after issuing the wizard command or if a Java error message occurs after issuing the wizard command, ensure that Java is correctly installed. To install and configure the Access Manager Attribute Retrieval Service using the install_amwebars wizard, follow these steps. 1. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 2. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed and can be located using the PATH environment variable before running the installation wizard. For instructions, see page 318.
219
3. To view status and messages in a language other than English, which is the default, install a language support package before running an installation wizard. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 4. On Windows systems only, exit from all running programs. 5. Run the install_amwebars program, located in the root directory on the IBM Tivoli Access Manager Web Security CD for AIX, HP-UX, Linux on x86, Linux on System z, Solaris, and Windows 2003 platforms. The install_amwebars program is not available for HP_UX on Integrity or Solaris on x86_64. The installation wizard begins by prompting you for configuration information as described in install_amwebars on page 434. Supply the required configuration information, or accept default values. 6. Compare the disk space that is required to install all of the Access Manager Attribute Retrieval Service components and prerequisites with the disk space that is available. If there is sufficient space, continue the installation. After reviewing the summary and accepting your installation selections and configuration choices, the components are installed and configured without further intervention. This step completes the setup of the Access Manager Attribute Retrieval Service. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. For information about the Access Manager Attribute Retrieval Service, see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide.

The following sections enable you to install Tivoli Access Manager software using a familiar platform-specific utility. Unlike automated installation wizards, you must manually install each component and any prerequisite software in the appropriate order. Complete the instructions that apply to your operating system: v AIX on page 220 v HP-UX on page 221 v Linux on page 222 v Solaris on page 223 v Windows on page 223
AIX: Installing the Access Manager Attribute Retrieval Service

The following procedure uses installp to install software packages. To install the Access Manager Attribute Retrieval Service on AIX, complete the following steps: 1. Log on as root. 2. Ensure that the IBM Java Runtime version 1.5.0 SR5 provided with Tivoli Access Manager is installed. For instructions, see page 318. 3. Install IBM WebSphere Application Server. For instructions, see page 333. 4. Insert the IBM Tivoli Access Manager Web Security for AIX CD and mount it. 5. Install the following package:
220
installp -acgYXd cd_mount_point/usr/sys/inst.images PDWeb.ARS
where cd_mount_point is the directory where the CD is mounted and PDWeb.ARS is the Access Manager Attribute Retrieval Service package. Note: This package must be installed on the same system as IBM WebSphere Application Server. 6. Unmount CD 7. To deploy the Access Manager Attribute Retrieval Service into the IBM WebSphere Application Server environment, run the Deploy.sh file and follow instructions in the Readme.deploy file, located in the /opt/pdwebars/ directory. 8. To configure WebSEAL to use the Access Manager Attribute Retrieval Service, see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide. This step completes the setup of the Access Manager Attribute Retrieval Service. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. For information about the Access Manager Attribute Retrieval Service, see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide.
HP-UX: Installing the Access Manager Attribute Retrieval Service

The following procedure uses swinstall to install software packages. To install the Access Manager Attribute Retrieval Service on HP-UX, complete the following steps: 1. Log on as root. 2. Ensure that the IBM Java Runtime version 1.5.0 SR5 provided with Tivoli Access Manager is installed. For instructions, see page 319. 3. Install IBM WebSphere Application Server. For instructions, see page 334. 4. Insert the IBM Tivoli Access Manager Web Security for HP-UX CD. 5. Mount the CD using the HP-UX mount command. For example, enter the following command:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. 6. Install the following package:
swinstall -s /cd-rom/hp PDWebARS
where /cd-rom/hp specifies the directory and PDWebARS specifies the Access Manager Attribute Retrieval Service package. Note: This package must be installed on the same system as IBM WebSphere Application Server. 7. Unmount the CD as follows:
umount /cd-rom
where /cd-rom is the mount point. 8. To deploy the Access Manager Attribute Retrieval Service into the WebSphere Application Server environment, run the Deploy.sh file and follow instructions in the Readme.deploy file, located in the /opt/pdwebars/ directory.
221
9. To configure WebSEAL to use the Access Manager Attribute Retrieval Service, see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide. This step completes the setup of the Access Manager Attribute Retrieval Service. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. For information about the Access Manager Attribute Retrieval Service, see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide.
Linux: Installing the Access Manager Attribute Retrieval Service

The following procedure uses rpm to install software packages. To install the Access Manager Attribute Retrieval Service on Linux, complete the following steps: 1. Log on as root. 2. Ensure that the IBM Java Runtime version 1.5.0 SR5 provided with Tivoli Access Manager is installed. For instructions, see page 320. 3. Install IBM WebSphere Application Server. For instructions, see page 335. 4. Insert the IBM Tivoli Access Manager Web Security for Linux on x86 or IBM Tivoli Access Manager Web Security for Linux on System z CD and mount it. 5. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86 or linux_s390 for System z. 6. Install the following package:
rpm -ihv package
where package is as follows:

Access Manager Attribute Retrieval Service Linux on x86 Linux on System z PDWebARS-PD-6.1.1.0-0.i386.rpm PDWebARS-PD-6.1.1.0-0.s390.rpm
Note: This package must be installed on the same system as IBM WebSphere Application Server. 7. Unmount the CD. 8. To deploy the Access Manager Attribute Retrieval Service into the WebSphere Application Server environment, run the Deploy.sh file and follow instructions in the Readme.deploy file, located in the /opt/pdwebars/ directory. 9. To configure WebSEAL to use the Access Manager Attribute Retrieval Service, see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide. This step completes the setup of the Access Manager Attribute Retrieval Service. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. For information about the Access Manager Attribute Retrieval Service, see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide.
222
Solaris: Installing the Access Manager Attribute Retrieval Service

The following procedure uses pkgadd to install software packages. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. To install the Access Manager Attribute Retrieval Service on Solaris, follow these steps: 1. Log on as root. 2. Ensure that the IBM Java Runtime version 1.5.0 SR5 provided with Tivoli Access Manager is installed. For instructions, see page 321. Note: If you configure the Access Manager Attribute Retrieval Service against Java Runtime Environments other than the Java Runtime Environment supported by Tivoli Access Manager, the configuration might fail. 3. Install IBM WebSphere Application Server. For instructions, see page 336. 4. Insert the IBM Tivoli Access Manager Web Security for Solaris CD. 5. Install the following packages (one at a time):
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDWebARS
where: -d /cdrom/cdrom0/solaris Specifies the location of the package. -a /cdrom/cdrom0/solaris/pddefault Specifies the location of the installation administration script. and PDWebARS specifies the Access Manager Attribute Retrieval Service package. Note: This package must be installed on the same system as IBM WebSphere Application Server. 6. To deploy the Access Manager Attribute Retrieval Service into the WebSphere Application Server environment, run the Deploy.sh file and follow instructions in the Readme.deploy file, located in the /opt/pdwebars/ directory. 7. To configure WebSEAL to use the Access Manager Attribute Retrieval Service, see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide. This step completes the setup of the Access Manager Attribute Retrieval Service. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. For information about the Access Manager Attribute Retrieval Service, see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide.
Windows: Installing the Access Manager Attribute Retrieval Service

The following procedure uses setup.exe to install software packages. To install the Access Manager Attribute Retrieval Service on Windows 2003, follow these steps: 1. Log on as a user with administrator privileges.
223
2. Ensure that the IBM Java Runtime version 1.5.0 SR5 provided with Tivoli Access Manager is installed. For instructions, see page 321. 3. Install IBM WebSphere Application Server. See Windows: Installing WebSphere Application Server on page 336. 4. Insert the IBM Tivoli Access Manager Web Security for Windows CD. 5. Install the Access Manager Attribute Retrieval Service package. To do so, run the setup.exe executable file located in the following directory:
Follow the online instructions to complete the installation. Note: This package must be installed on the same system as IBM WebSphere Application Server. 6. To deploy the Access Manager Attribute Retrieval Service into the WebSphere Application Server environment, run the Deploy.bat file and follow instructions in the Readme.deploy file, located in the C:\Program Files\Tivoi\AMWebARS\ directory. 7. To configure WebSEAL to use the Access Manager Attribute Retrieval Service, see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide. This step completes the setup of the Access Manager Attribute Retrieval Service. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. For information about the Access Manager Attribute Retrieval Service, see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide.
224
Chapter 12. Setting up the plug-in for Edge Server

This chapter provides information about installing and configuring a Tivoli Access Manager plug-in for Edge Server system. For more information about this Web Security system, see the IBM Tivoli Access Manager for e-business: Plug-in for Edge Server Administration Guide. The Tivoli Access Manager plug-in for Edge Server system supports IBM WebSphere Edge Server and requires the following components and prerequisite products: v IBM WebSphere Edge Server v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server client (depending on the registry used) base and 32-bit v v v v v Tivoli Security Utilities Access Manager License Access Manager Runtime Access Manager Web Security Runtime Access Manager Plug-in for Edge Server
You can set up this system using the native installation method only. An installation wizard is not available. To configure software packages after installation, use the pdconfig utility. Complete the instructions that apply to your operating system: v AIX on page 226 v Red Hat Enterprise Linux on page 227 v Solaris on page 228 v Windows on page 230 This chapter also contains the following topics: v Preinstallation requirements v Overview of the plug-in for Edge Server configuration on page 231 For more information, see the IBM Tivoli Access Manager for e-business: Plug-in for Edge Server Administration Guide.
Before you install and configure a Tivoli Access Manager plug-in for Edge Server system, ensure that the following requirements are met. These requirements are applicable, regardless of which installation method you plan to use. v During Tivoli Access Manager configuration on Linux operating systems, scripts may fail to run, stating that /bin/ksh was not found. On certain versions of SUSE Linux Enterprise Server, Yast-based installation does not install the Korn shell at /bin/ksh. Install the pdksh rpm that matches the hardware on which you are installing Tivoli Access Manager. The appropriate rpm can be found on either the SUSE
225
Linux Enterprise Server installation media, or downloaded from the SUSE Linux Enterprise Server or Novell support web sites. v Ensure that a Tivoli Access Manager registry server and the policy server are set up in your secure domain. For instructions on setting up these systems, see Part 2, Base system installation, on page 51. v Ensure that Tivoli Access Manager supports the platform on which you are running your plug-in for Edge server. v Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base.
AIX: Installing the plug-in for Edge Server

The following procedure uses installp to install software packages. To install Access Manager Plug-in for Edge Server on AIX, follow these steps: 1. Log in to the system as root. 2. Ensure that you have met the requirements listed in Preinstallation requirements on page 225. 3. Insert the IBM Tivoli Access Manager Web Security for AIX CD and mount it. 4. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 312. 5. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 327. 6. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 323. 7. Install the Tivoli Access Manager packages. For AIX 5.x:
where cd_mount_point is the directory where the CD is mounted and packages are as follows: PD.lic PD.RTE PDWeb.RTE Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Web Security Runtime package.
PDPlgES Specifies the Access Manager Plug-in for Edge Server package. 8. Unmount the CD. 9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Configure the Access Manager Runtime followed by the Access Manager Plug-in for Edge Server package as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed.
226
c. Select the menu number of the package that you want to configure, one at a time. For assistance with configuration options, see Chapter 22, pdconfig options, on page 447. When a message appears indicating that the package has been successfully configured, select the x option twice to close the configuration utility. The configuration utility completes the following tasks: v Creates registry objects for the server. v Adds the server to the security groups, ivacld-servers and SecurityGroup. v Creates an SSL certificate. v Obtains an SSL-signed certificate from the Tivoli Access Manager policy server. v Configures the Edge Server caching proxy to use the plug-in for Edge Server by setting directives in the Edge Server caching proxy configuration file, ibmproxy.conf. v Restarts the Edge Server caching proxy process, ibmproxy. v Starts the plug-in for Edge Server object space manager utility, by using the wesosm utility. This utility updates the Tivoli Access Manager object space to create a new object space container for the plug-in for Edge Server. The configuration completes the setup of a Tivoli Access Manager plug-in for Edge Server system. The Edge Server caching proxy is now running with the plug-in for Edge Server loaded. You can use the administrative user, sec_master, to access the caching proxys home page.
Red Hat Enterprise Linux: Installing the plug-in for Edge Server
The following procedure uses rpm to install software packages. To install Access Manager Plug-in for Edge Server on Red Hat Enterprise Linux, follow these steps. 1. Log in to the system as root. 2. Ensure that you have met the requirements listed in Preinstallation requirements on page 225. 3. Insert the IBM Tivoli Access Manager Web Security for Linux on x86 CD and mount it. 4. Change to the /mnt/cdrom/linux_i386 directory where /mnt/cdrom is the mount point for your CD. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 313. 6. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 329. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 324. 8. Install the Tivoli Access Manager packages:
rpm -ihv packages

Linux on x86 Access Manager License package Access Manager Runtime package Access Manager Plug-in for Edge Server package PDlic-PD-6.1.1.0-0.i386.rpm PDRTE-PD-6.1.1.0-0.i386.rpm PDPlgES-PD-6.1.1.00.i386.rpm
227
Linux on x86 Access Manager Web Security Runtime package PDWebRTE-PD-6.1.1.00.i386.rpm
9. Unmount the CD. 10. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 11. Configure the Access Manager Runtime followed by the Access Manager Plug-in for Edge Server package as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time. For assistance with configuration options, see Chapter 22, pdconfig options, on page 447. When a message appears indicating that the package has been successfully configured, select the x option twice to close the configuration utility. The configuration utility completes the following tasks: v Creates registry objects for the server. v Adds the server to the security groups, ivacld-servers and SecurityGroup. v Creates an SSL certificate. v Obtains an SSL-signed certificate from the Tivoli Access Manager policy server. v Configures the Edge Server caching proxy to use the plug-in for Edge Server by setting directives in the Edge Server caching proxy configuration file, ibmproxy.conf. v Restarts the Edge Server caching proxy process, ibmproxy. v Starts the plug-in for Edge Server object space manager utility, by using the wesosm utility. This utility updates the Tivoli Access Manager object space to create a new object space container for the plug-in for Edge Server. The configuration completes the setup of a Tivoli Access Manager plug-in for Edge Server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. The Edge Server caching proxy is now running with the plug-in for Edge Server loaded. You can use the administrative user, sec_master, to access the caching proxys home page.
Solaris: Installing the plug-in for Edge Server

The following procedure uses pkgadd to install software packages. To install Access Manager Plug-in for Edge Server on Solaris, follow these steps: Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only.
228
1. Log on as root. 2. Ensure that you have met the requirements listed in Preinstallation requirements on page 225. 3. Insert the IBM Tivoli Access Manager Web Security for Solaris CD. 4. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 314. 5. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 330. 6. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 325. 7. Install the Tivoli Access Manager packages (one at a time):
where: /cdrom/cdrom0/solaris Specifies the location of the package. /cdrom/cdrom0/solaris/pddefault Specifies the location of the installation administration script. and packages are as follows: PDlic PDRTE Specifies the Access Manager Runtime package. PDWebRTE Specifies the Access Manager Web Security Runtime package. PDPlgES Specifies the Access Manager Plug-in for Edge Server package. 8. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 9. Configure the Access Manager Runtime followed by the Access Manager Plug-in for Edge Server package as follows: a. Start the configuration utility:
pdconfig
Specifies the Access Manager License package.
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time. For assistance with configuration options, see Chapter 22, pdconfig options, on page 447. When a message appears indicating that the package has been successfully configured, select the x option twice to close the configuration utility. The configuration utility completes the following tasks: v Creates registry objects for the server. v Adds the server to the security groups, ivacld-servers and SecurityGroup. v Creates an SSL certificate. v Obtains an SSL-signed certificate from the Tivoli Access Manager policy server.
229
v Configures the Edge Server caching proxy to use the plug-in for Edge Server by setting directives in the Edge Server caching proxy configuration file, ibmproxy.conf. v Restarts the Edge Server caching proxy process, ibmproxy. v Starts the plug-in for Edge Server object space manager utility, by using the wesosm utility. This utility updates the Tivoli Access Manager object space to create a new object space container for the plug-in for Edge Server. The configuration completes the setup of a Tivoli Access Manager plug-in for Edge Server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. The Edge Server caching proxy is now running with the plug-in for Edge Server loaded. You can use the administrative user, sec_master, to access the caching proxys home page.
Windows: Installing the plug-in for Edge Server

The following procedure uses the setup.exe program to install software packages. To install Access Manager Plug-in for Edge Server on Windows 2003, follow these steps: 1. Log on as a user with Administrator group privileges. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. 3. Ensure that you have met the requirements listed in Preinstallation requirements on page 225. 4. Insert the IBM Tivoli Access Manager Web Security for Windows CD. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 315. 6. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 331. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 326. 8. Install the Tivoli Access Manager packages. To do so, run the setup.exe program, located in the following directory:
The Choose Setup Language dialog is displayed. 9. 10. 11. 12. Select the language that you want to use for the installation and click OK. The Welcome dialog is displayed. Click Next to continue. Read the license agreement and click Yes if you agree to the terms. Select the following packages and click Next: v Access Manager License v Access Manager Runtime v Access Manager Web Security Runtime v Access Manager Plug-in for Edge Server
230
13. Accept the default destination directory or click Browse to select a path to another directory on the local system. If the directory does not exist, you must confirm that you want the directory created or specify a directory that exists. 14. To start copying files to the destination folder, click Next. 15. Click Finish to exit the setup program. 16. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 17. Configure the Tivoli Access Manager packages as follows: a. Start the configuration utility:
pdconfig
The Access Manager Configuration window is displayed. b. Select the Access Manager Runtime package and click Configure. c. Select the Access Manager Plug-in for Edge Server package and click Configure. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447. The configuration utility completes the following tasks: v Creates registry objects for the server. v Adds the server to the security groups, ivacld-servers and SecurityGroup. v Creates an SSL certificate. v Obtains an SSL-signed certificate from the Tivoli Access Manager policy server. v Configures the Edge Server caching proxy to use the plug-in for Edge Server by setting directives in the Edge Server caching proxy configuration file, ibmproxy.conf. v Restarts the Edge Server caching proxy process, ibmproxy. v Starts the plug-in for Edge Server object space manager utility, by using the wesosm utility. This utility updates the Tivoli Access Manager object space to create a new object space container for the plug-in for Edge Server. The configuration completes the setup of a Tivoli Access Manager plug-in for Edge Server system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. The Edge Server caching proxy is now running with the plug-in for Edge Server loaded. You can use the administrative user, sec_master, to access the caching proxys home page.
Overview of the plug-in for Edge Server configuration

This overview explains configuration concepts, models, and procedures for the plug-in for Edge Server configuration: v Server configuration model on page 232 v Server configuration concepts on page 233 v Object space configuration model on page 235 v Single sign-on configuration model on page 236 v Configuration procedure summary on page 237
231
Server configuration model

The plug-in for Edge Server provides authentication and authorization services for Web servers within a secure domain by enforcing the security at the Edge Server proxy, rather than at the Web server. By implementing the security enforcement at the proxy, the plug-in centrally provides security services for all Web servers within the secure domain. When the Edge Server plug-in has established that a particular user is authorized to access a requested resource, the request is forwarded to the Web server along with information about the user. The content of a Web site might span multiple Web servers for reasons of performance and content distribution. While some Web servers might host content, others might host a variety of Web applications, each with different security requirements. For example, some servers might not require authentication, but other servers might require it. Each server requiring authentication might require that the user information be submitted in a unique format. While some security settings are common to all servers such as form session timeout and logging level, some are unique to each server such as login method and single sign-on. Because of this distributed nature, the plug-in needs to be able to provide security services for multiple Web servers within a secure domain. The plug-in secures distributed Web servers using the object-space-definition configuration file, osdef.conf. This configuration file separates the configuration settings for each protected Web server so that Web-server-specific configuration is possible. There are three types of server definitions used in the configuration file, as shown in the following table.
Server definition [Global] [Local] Description Settings listed under this stanza apply to all Web servers. There is only one instance of this stanza. Settings listed under the [Local] stanza apply only to the Edge Server caching proxy. There is only one instance of this stanza. Settings listed under the [Remote:] stanza apply to external or remote Web servers secured by the plug-in. There can be multiple instances of this stanza.
[Remote: Tivoli Access Manager Object Space Name]
With a few exceptions that are documented in the osdef.conf file, any setting can be placed under any definition. For example, the form_session_timeout setting, can be placed beneath the [Global] stanza, or beneath a [Remote:] stanza as shown:
[Global] login_method = forms form_login_file = /opt/pdweb-lite/samples/forms/welcome.html form_session_timeout = 10 [Remote: /ESproxy/reverse/anyother.com] domains = anyother.com [Remote: /ESproxy/reverse/verysecure.com] domains = verysecure.com form_session_timeout = 1
In the above example, any user who logs in to verysecure.com is not allowed to remain idle for more than one minute; otherwise, the session expires. However, for any user who logs in to anyother.com and all other domains, the idle timeout is 10 minutes because it is being set in the [Global] definition. With a few exceptions ([SSO] settings), this model of inheritance can be used on any server setting in the
232
configuration file, as illustrated in Figure 1.

Figure 1. Plug-in for Edge Server using model of inheritance
Internal Tivoli Access Manager Plug-in Default Values
[Global]
[Local]
[Remote 1]
[Remote N]
Using this model of inheritance, settings that are the same for each Web server do not need to be repeated under each server definition but can be listed once underneath the [Global] definition of the configuration file. For example, if all servers use the same form login file, then that setting will be listed in the [Global] definition.
Server configuration concepts

With a basic understanding of the configuration file, it is easier to understand how the plug-in enforces security using this configuration file. Whenever a request is received by the plug-in, it uses the following basic steps to authorize the user. 1. If the user is already authenticated, for example, by a trusted gateway, accept the user single sign-on information and proceed to step 4. 2. Obtain the user identity based on one of the following login methods: v For basic authentication and forms login, obtain the user ID and password. v For certificate login, obtain the certificate distinguished name. 3. Authenticate the user against the Tivoli Access Manager user registry. 4. Authorize the user against the Tivoli Access Manager object space. 5. Submit single sign-on information for the user. 6. Forward the request to the corresponding Web server. To execute these authorization steps, the plug-in must consult the configuration file for configuration information about the request. Each step requires one or more settings to be retrieved from the osdef.conf configuration file. For example, step 2 requires the retrieval of the login_method setting. To retrieve a setting for the request, the plug-in needs to first determine which definition it should retrieve the setting from. It needs to correlate the request with a specific server definition in the configuration file. While the plug-in can enforce security for both reverse and forward proxy requests, the plug-in does not consider whether the request is a reverse or forward proxy request. The domain name is the public identifier for the corresponding Web server hosting the protected resource. In a reverse proxy scenario, this requires the creation of aliases or public domain names on the plug-in system, as illustrated in Figure 2 on page 234
233
page 234.
Figure 2. Creation of aliases on a plug-in system
Browser Edge Server www.newbooks.com newbooks.com newnovels.com newpoems.com Web servers backend1.com
Hosts www.newbooks.com and newbooks.com
backend2..com
Hosts newnovels.com
Internet Caching proxy Tivoli Access Manager Plug-in
backend3.com
Hosts newpoems.com
Internal gateway Browser
In this configuration, all requests for www.newbooks.com, newbooks.com, newnovels.com, and newpoems.com arrive at the Edge Server proxy and are secured by the plug-in. Using the domain name as the unique identifier for the request, the plug-in can now search the configuration file for the server definition that matches the domain name. Consider the following osdef.conf configuration file:
[Global] login_method = basic # Definition 1 [Remote: /ESproxy/reverse/newbooks.com] domains = newbooks.com *.newbooks.com login_method = forms route = http://backend1.com # Definition 2 [Remote: /ESproxy/reverse/label2] domains = newnovels.com login_method = certificate route = http://backend2.com # Definition 3 [Remote: /ESproxy/check_here/this_is_just_a_label] domains = newpoems.com route = http://backend3.com
Consider the following requests where the plug-in determines the login method, object space location where the user is authorized, and destination Web server where the request is forwarded: v If a user types the following URL, the plug-in matches the request to definition 1 because the domains setting contains the value, *.newbooks.com: http://www.newbooks.com/private.html The login method is forms because it is explicitly set under this definition. For the authorization check, the domain name would be replaced with the authorization string and the URL path would be appended. In this example, the authorization check for read (r) permission would be performed at /ESproxy/reverse/newbooks.com/private.html. The request is forwarded to backend1.com because of the route setting.
234
v If a user types the following URL, the plug-in first performs a reverse DNS lookup on the IP address and would match the request to definition 2 because the domains setting contains the value, newnovels.com: http://IP_address_of_newnovels.com/gifs/private.html The login method is certificate because it is explicitly set under this definition. The authorization check for read (r) permission is performed at /ESproxy/reverse/label2/gifs/private.html. The request is forwarded to backend2.com because of the route setting. v If a user types the following URL, the plug-in would match the request to definition 3 because the domains setting contains the value, newpoems.com: http://newpoems.com/logo.gif The login method is basic because it is not explicitly set under this definition and is retrieved from the [Global] definition. The authorization check for read (r) permission is performed at /ESproxy/check_here/this_is_just_a_label /logo.gif. The request is forwarded to backend3.com due to the route setting. v If a user configures their browser to use Edge Server as a proxy and types the following URL, the plug-in does not find a match for the request and uses the [Global] definition: http://internet.com/mail/logo.gif The login method is basic. For the authorization check, the default forward proxy template, /ESproxy/forward/domain/path is used. In this example, the authorization check for read (r) permission is performed at /ESproxy/forward/ internet.com/mail/logo.gif. Because this object might not exist in the object space, the effective permission is inherited from the ACL attached to /ESproxy/forward. The request is automatically forwarded to internet.com because it was a forward proxy request. However, it is possible to create a definition in the configuration file that performed an authorization check at another location in the object space and forwards the internet.com request elsewhere. The plug-in does not consider if the request is a forward or reverse proxy request. In both configurations, the request is handled in the same manner.
Object space configuration model

When the plug-in performs an authorization check underneath a branch in the Tivoli Access Manager object space, it maps the requested resource or URL to the object space. For example, in server definition 1, the following mapping is performed for the authorization check:
URL Object: http://www.newbooks.com/private.html Tivoli Access Manager Object: /ESproxy/reverse/newbooks.com/private.html
In order to apply access control to specific objects using Tivoli Access Manager ACLs, the object space must be structured in a manner where there is a direct mapping between the set of objects that users request in their URLs and the set of objects provided by the Web server. The simplest case is a direct mapping between referenced files in the URLs and actual files on the Web server, as illustrated:
Tivoli Access Manager Object: /ESproxy/reverse/newbooks.com/server files /ESproxy/reverse/newbooks.com/private.html /ESproxy/reverse/newbooks.com/public.html /ESproxy/reverse/newbooks.com/gifs /ESproxy/reverse/newbooks.com/gifs/logo.gif URL Object: http://www.newbooks.com/server files
235
http://www.newbooks.com/private.html http://www.newbooks.com/public.html http://www.newbooks.com/gifs http://www.newbooks.com/gifs/logo.gif
The sample query_contents utility provides the wesosm utility with the paths of all files on the Web server. The file information is copied into the object space so that when the plug-in performs the authorization check, there is a direct mapping between the URL objects and server objects. This model works well if the URL objects are always going to be physical files on the destination Web server that the query_contents utility finds. In some cases, the set of URL objects might not correspond directly to physical files on the Web server. In this case, the query_contents utility can be modified to return the virtual objects that are served by the Web server as shown:
Tivoli Access Manager Object: /ESproxy/reverse/newbooks.com/virtual objects /ESproxy/reverse/newbooks.com/object1 /ESproxy/reverse/newbooks.com/object2 /ESproxy/reverse/newbooks.com/object3 /ESproxy/reverse/newbooks.com/object3/object3.1 URL Object: http://www.newbooks.com/virtual objects http://www.newbooks.com/object1 http://www.newbooks.com/object2 http://www.newbooks.com/object3 http://www.newbooks.com/object3/object3.1
In this scenario, the objects served by the Web server do not correspond directly to physical files on the Web server. However, the Web server understands what these objects are and knows how to retrieve them. As long as the query_contents utility can enumerate these virtual objects for the wesosm utility, the plug-in can perform authorization checks on these virtual objects. The plug-in performs authorization checks by verifying the appropriate permissions in the Tivoli Access Manager object space. It maps the URL to the object space to determine the exact location to perform the authorization check. In order to apply ACLs on specific objects secured by the plug-in, it is necessary to ensure that the set of objects represented in the object space corresponds to the set of objects represented in the URL requests for the secured Web server.
Single sign-on configuration model

The plug-in supports single sign-on tokens that can be customized and are created underneath the [SSO] categories of the object space definition configuration file as indicated in the following table.
Server definition [SSO] Description Settings listed under this definition are used to define single sign-on tokens. There can be multiple instances of this definition.
The settings listed in this definition are not related to the settings listed in the [Global], [Local], and [Remote] server definitions. For example, the trust_list setting, is not valid underneath any server definition in the configuration file. However, by defining the single sign-on tokens in one place, they can be used as parameters to accept_sso and submit_sso, which are valid underneath the server categories. The following example shows the definition of an iv-user token which is needed by two Web servers:
236
[Remote: /ESproxy/reverse/newbooks.com] domains = newbooks.com accept_sso = mysso submit_sso = mysso route = http://backend1.com [Remote: /ESproxy/reverse/newnovels.com] domains = newnovels.com submit_sso = mysso route = http://backend2.com [SSO: mysso] name = iv-user format = <userid> trust_basis = IP_Address trust_list = 0.0.0.0/0.0.0.0
In this example, the plug-in checks for the existence of the iv-user token from any IP address that makes a request to newbooks.com. If the iv-user token is found, it extracts the user ID from the token and authorizes the user. The plug-in also submits the iv-user token to the respective backend server for requests to newbooks.com and newnovels.com.
Configuration procedure summary

The plug-in for Edge Server provides a flexible framework to configure access control to the protected resources on your Web servers. It allows you to set server-specific configuration items such as the login method, single sign-on token, and destination server. Settings that apply to each server need to only be set in one place and settings that are server-specific can be set for each respective server. The general approach to configuring the plug-in is as follows: 1. For a reverse proxy configuration, create an alias domain name on the plug-in machine for each Web server that requires the authorization services. 2. Create a corresponding [Remote] server definition for each respective server and assign the alias domain name to that definition. 3. Set server-specific settings underneath the definition for that server and set global settings in the [Global] definition of the configuration file. It is sufficient to use the default internal plug-in values for most settings. 4. Run the wesosm utility to generate the object space and set the appropriate ACLs in the Tivoli Access Manager object space for access control to that server. Always restart the plug-in after making configuration changes. If you are unable to determine the cause of a configuration error, check the event log file for information describing how the plug-in handled the request. Running the UNIX tail f command on the event log file can help in observing events as they happen in real time. It is easier to determine the cause of the configuration problem after observing the event log.
237
238
Chapter 13. Setting up the plug-in for Web servers

This chapter provides information about the Access Manager Plug-in for Web Servers component, an application that can be integrated with Web server software and runs in a Tivoli Access Manager secure domain. IBM Tivoli Access Manager plug-in for Web servers supports these servers and platforms: v Apache Web Server on AIX, Linux on System z, and Solaris v IBM HTTP Server on AIX, Linux on x86, Linux on System z, Solaris and Windows 2003. v Internet Information Services on Windows 2003 v Sun Java System Web Server on AIX and Solaris See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base for more information about which versions of the Web servers are supported. For more information about these Web Security components, see the IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide. You can install a supported Web server plug-in using one of the following installation methods: v Installing using the installation wizard on page 241 v Installing using native utilities on page 242 This chapter also contains the following topics: v Preinstallation requirements v Installing the plug-in for Internet Information Services on page 253 v Installing the plug-in for Sun Java System Web Server on page 254
Before you install and configure the Access Manager Plug-in for Web Servers component, ensure that the following requirements are met. These requirements are applicable, regardless of which installation method you plan to use. v During Tivoli Access Manager configuration on Linux operating systems, scripts may fail to run, stating that /bin/ksh was not found. On certain versions of SUSE Linux Enterprise Server, Yast-based installation does not install the Korn shell at /bin/ksh. Install the pdksh rpm that matches the hardware on which you are installing Tivoli Access Manager. The appropriate rpm can be found on either the SUSE Linux Enterprise Server installation media, or downloaded from the SUSE Linux Enterprise Server or Novell support web sites. v Ensure that a Tivoli Access Manager registry server and the policy server are set up in your secure domain. For instructions on setting up these systems, see Part 2, Base system installation, on page 51. v Ensure that forward/reverse proxy is disabled in your Web server environment. v Ensure that your Web server is installed and configured on this system. In addition, your Web server must be configured for SSL, client certificates, or both if you intend to enable SSL communication.
239
v Ensure that Tivoli Access Manager supports the platform on which you are running your Web server. v Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge base. v Ensure that the Apache Web server has Dynamic Shared Objects (DSO) support enabled, because the Tivoli Access Manager Plug-in for Apache Web Server requires DSO. v For Solaris, ensure that the Apache modules have previously been compiled using the GNU Compiler Collection (GCC) version 3.2 or higher to prevent errors. v A valid Group ID is required in order to access the Apache Web Server using the plug-in. The default Group ID value of -1 in the Apache configuration file is not valid. Prior to the configuration of the Tivoli Access Manager Plug-in for Web Servers, you must change the Group ID value to a known system group in the Group configuration entry of the Apache configuration file. This change is required only when running Apache on Red Hat Enterprise Linux 5.
240

An installation wizard simplifies the setup of Access Manager Plug-in for Web Servers by installing and configuring the following components in the appropriate order: v v v v v v v IBM Global Security Kit (GSKit) Tivoli Security Utilities Access Manager License Access Manager Runtime Access Manager Web Security Runtime Access Manager Plug-in for Web Servers One of the following for the type of Web server being installed: Access Manager Plug-in for Apache Web Server Access Manager Plug-in for IBM HTTP Server Access Manager Plug-in for Sun Java System Web Server Note: The wizard detects if a component is installed and does not attempt to reinstall it. Attention: v If you are installing on a Red Hat Enterprise Linux 5 operating system and Security-Enhanced Linux (SELinux) is enabled, you must disable it before installing using the installation wizard. Once you have completed installation and configuration, you can re-enable SELinux and continue to use it. If you do not want to disable SELinux, install using native utilities. v If your system hangs after issuing the wizard command or if a Java error message occurs after issuing the wizard command, ensure that Java is correctly installed. To install and configure a Tivoli Access Manager Web server plug-in using an installation wizard, follow these steps: 1. Ensure that the hosting Web server is installed. 2. Ensure that you have met the requirements listed in Preinstallation requirements on page 239. 3. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed. For instructions, see page 318. 4. To view status and messages in a language other than English, which is the default, install a language support package before running an installation wizard. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 5. On AIX systems, set the AIX Extended Shared Memory Support (EXTSHM) environment variable to ON prior to installing either the Access Manager Plug-in for Apache Web Server component or the Access Manager Plug-in for IBM HTTP Server component. By default, AIX does not permit 32-bit applications to attach to more than 11 shared memory segments per process. 6. Run the install_amwpi program, located in the root directory on the IBM Tivoli Access Manager Web Security CD for the supported platforms. The installation wizard begins by prompting you for configuration information as described in install_amwpi on page 435. Supply the required configuration information, or accept default values.
241
7. Compare the disk space that is required to install all of the Tivoli Access Manager plug-in for Web Servers system components and prerequisites with the disk space that is available. If there is sufficient space, continue the installation. After reviewing the summary and accepting your installation selections and configuration choices, the components are installed and configured without further intervention. 8. Restart your Web server after installation is completed. 9. Customize the pdwebpi.conf file for your particular Web server. For information, see the IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide. 10. To start the plug-in for Web Servers, do one of the following tasks: v On UNIX and Linux systems, change to the /opt/pdwebpi/bin directory and enter the following command:
pdwebpi_start start
v On Windows systems, click Start Control Panel Administrative Tools Services. Right-click on Access Manager Plug-in for Web Servers and then select Start. This step completes the setup of a Tivoli Access Manager Web server plug-in. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.

The following sections enable you to install Tivoli Access Manager software using a familiar platform-specific utility. Unlike automated installation wizards, you must manually install each component and any prerequisite software in the appropriate order. To configure software packages after installation, use the pdconfig utility. Note: Alternatively, you can configure the Plug-in for Web Servers component using the pdwpicfg utility, which is called by the pdconfig utility. For more information about this utility, see pdwpicfg on page 591. Complete the instructions that apply to your Web server: v Installing the plug-in for Apache Web Server v Installing the plug-in for IBM HTTP Server on page 247 v Installing the plug-in for Internet Information Services on page 253 v Installing the plug-in for Sun Java System Web Server on page 254
Installing the plug-in for Apache Web Server

Complete the instructions that apply to your operating system: v AIX on page 242 v Linux on System z on page 244 v Solaris on page 245 For more information, see the IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide.
AIX: plug-in for Apache Web Server

The following procedure uses installp to install software packages and the pdconfig utility to configure them.
242
To install the Web server plug-in for Apache Web Server on AIX, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that you have met the requirements listed in Preinstallation requirements on page 239. 4. Insert the IBM Tivoli Access Manager Web Security for AIX CD and mount it. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 312. 6. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 327. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 323. 8. Install the Tivoli Access Manager packages:
where cd_mount_point is the directory where the CD is mounted and packages are as follows: PDlic PDRTE PDWebRTE PDWPI PDWPIapa Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Web Security Runtime package. Specifies the Access Manager Plug-in for Web Servers package. Specifies the Access Manager Plug-in for Apache Web Server package.
Note: These packages must be installed on the same system as the Apache Web Server. 9. Unmount the CD. 10. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 11. Set the AIX Extended Shared Memory Support (EXTSHM) environment variable to ON prior to configuring the Access Manager Plug-in for Apache Web Server component and also prior to starting the plug-in for Apache Web Server proxy server or the Apache Web server. By default, AIX does not permit 32-bit applications to attach to more than 11 shared memory segments per process. 12. Configure the Access Manager Runtime followed by the Access Manager Plug-in for Web Servers package as follows: a. Start the configuration utility:
pdconfig
243
c. Select the menu number of the package that you want to configure, one at a time. For assistance with configuration options, see Chapter 22, pdconfig options, on page 447. When a message appears indicating that the package has been successfully configured, select the x option twice to close the configuration utility. 13. Restart the Web server. 14. Customize the pdwebpi.conf file for your particular Web server. For information, see the IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide. 15. To start the plug-in process, change to the /opt/pdwebpi/bin directory and enter the following command:
pdwebpi_start start
This step completes the setup of the Tivoli Access Manager Web server plug-in for Apache Server on AIX. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Linux on System z: plug-in for Apache Web Server

The following procedure uses rpm to install software packages and the pdconfig utility to configure them. To install the Web server plug-in for Apache Web Server (31-bit only) for Linux on System z, complete the following steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files which are located in the /CD_mount_point/linux_s390 directory on the IBM Tivoli Access Manager Web Security for Linux on System z CD. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that you have met the requirements listed in Preinstallation requirements on page 239. 4. Insert IBM Tivoli Access Manager Web Security for Linux on System z CD and mount it. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 313. 6. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 329. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 324. 8. Install the Tivoli Access Manager packages:
rpm -ihv packages

Linux on System z Access Manager License package Access Manager Runtime package PDlic-PD-6.1.1.0-0.s390.rpm PDRTE-PD-6.1.1.0-0.s390.rpm
244
Access Manager Web Security Runtime PDWebRTE-PD-6.1.1.0-0.s390.rpm package Access Manager Plug-in for Web Servers package Access Manager Plug-in for Apache Web Server package PDWPI-PD-6.1.1.0-0.s390.rpm PDWPI-Apache-6.1.1.0-0.s390.rpm
Note: These packages must be installed on the same system as the Apache Web Server. 9. Unmount the CD. 10. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 11. Configure the Tivoli Access Manager packages as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time. Configure the Access Manager Runtime followed by the Access Manager Plug-in for Web Servers package. d. Depending on the package that you selected, you are prompted for configuration options. For assistance with configuration options, see Chapter 22, pdconfig options, on page 447. When a message appears indicating that the package has been successfully configured, select the x option twice to close the configuration utility. 12. Restart the Web server. 13. Customize the pdwebpi.conf file for your particular Web server. For information, see the IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide. 14. To start the plug-in process, change to the /opt/pdwebpi/bin directory and enter the following command:
pdwebpi_start start
This step completes the setup of the Tivoli Access Manager Web server plug-in for Apache Web Server for Linux on System z. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Solaris: plug-in for Apache Web Server

The following procedure uses pkgadd to install software packages and the pdconfig utility to configure them. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. To install the Web server plug-in for Apache Web Server on Solaris, complete the following steps: 1. Log on as root.
245
2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that you have met the requirements listed in Preinstallation requirements on page 239. 4. Insert the IBM Tivoli Access Manager Web Security for Solaris CD. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 314. 6. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 330. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 325. 8. Install the Tivoli Access Manager packages (one at a time):
where: /cdrom/cdrom0/solaris Specifies the location of the package. /cdrom/cdrom0/solaris/pddefault Specifies the location of the installation administration script. and packages are as follows: PDlic PDRTE PDWebRTE PDWPI PDWPIapa Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Web Security Runtime package. Specifies the Access Manager Plug-in for Web Servers package. Specifies the Access Manager Plug-in for Apache Web Server package.
Note: These packages must be installed on the same system as the Apache Web Server. 9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Set the shared memory kernel parameters to values that are larger than the default values. Add the following lines to the /etc/system file to increase the parameters to acceptable values:
set shmsys:shminfo_shmmax=0x2000000 set shmsys:shminfo_shmseg=256 set shmsys:shminfo_shmmni=256
Restart your system for these changes to take affect. 11. Configure the Tivoli Access Manager packages as follows: a. Start the configuration utility:
pdconfig
246
c. Select the menu number of the package that you want to configure, one at a time. Configure the Access Manager Runtime followed by the Access Manager Plug-in for Web Servers package. Depending on the package that you selected, you are prompted for configuration options. For assistance with configuration options, see Chapter 22, pdconfig options, on page 447. When a message appears indicating that the package has been successfully configured, select the x option twice to close the configuration utility. 12. Restart the Web server. 13. Customize the pdwebpi.conf file for your particular Web server. For information, see the IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide. 14. To start the plug-in process, change to the /opt/pdwebpi/bin directory and enter the following command:
pdwebpi_start start
This step completes the setup of the Tivoli Access Manager Web server plug-in for Apache Web Server on Solaris. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Installing the plug-in for IBM HTTP Server

Complete the instructions that apply to your operating system: v AIX on page 247 v Linux on x86 and System z on page 249 v Solaris on page 250 v Windows on 252 For more information, see the IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide.
AIX: plug-in for IBM HTTP Server

The following procedure uses installp to install software packages and the pdconfig utility to configure them. To install the Web server plug-in for IBM HTTP Server on AIX, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that you have met the requirements listed in Preinstallation requirements on page 239. 4. Insert the IBM Tivoli Access Manager Web Security for AIX CD and mount it. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 312. 6. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 327. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 323. 8. Install the Tivoli Access Manager packages:
247
where cd_mount_point is the directory where the CD is mounted and packages are as follows: PD.lic PD.RTE PDWeb.RTE PD.WPI PD.WPIIHS Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Web Security Runtime package. Specifies the Access Manager Plug-in for Web Servers package. Specifies the Access Manager Plug-in for IBM HTTP Server package.
Note: These packages must be installed on the same system as IBM HTTP Server. 9. Unmount CD. 10. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 11. Set the EXTSHM environment variable to ON prior to configuring the Access Manager Plug-in for IBM HTTP Server component and prior to starting either the plug-in for IBM HTTP Server proxy server or the IBM HTTP Server. By default, AIX does not permit 32-bit applications to attach to more than 11 shared memory segments per process. 12. Configure the Tivoli Access Manager packages as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time. Configure the Access Manager Runtime followed by the Access Manager Plug-in for Web Servers package. Depending on the package that you selected, you are prompted for configuration options. For assistance with configuration options, see Chapter 22, pdconfig options, on page 447. When a message appears indicating that the package has been successfully configured, select the x option twice to close the configuration utility. 13. Restart the Web server. 14. Customize the pdwebpi.conf file for your particular Web server. For information, see the IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide. 15. To start the plug-in process, change to the /opt/pdwebpi/bin directory and enter the following command:
pdwebpi_start start
This step completes the setup of the Tivoli Access Manager Web server plug-in for IBM HTTP Server on AIX. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
248
Linux: plug-in for IBM HTTP Server

The following procedure uses rpm to install software packages and the pdconfig utility to configure them. To install the Web server plug-in for IBM HTTP Server for Linux on x86 and Linux for System z, complete the following steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files which are located in the /CD_mount_point/linux_s390 directory on the IBM Tivoli Access Manager Web Security for Linux on System z CD. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that you have met the requirements listed in Preinstallation requirements on page 239. 4. Insert the IBM Tivoli Access Manager Web Security for Linux on x86 or IBM Tivoli Access Manager Web Security for Linux on System z CD and mount it. 5. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86 or linux_s390 for System z. 6. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 313. 7. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 329. 8. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 324. 9. Install the Tivoli Access Manager packages:
rpm -ihv packages

Linux on x86 Access Manager License PDlic-PD-6.1.1.0-0.i386.rpm package Access Manager Runtime package Access Manager Web Security Runtime package PDRTE-PD-6.1.1.0-0.i386.rpm Linux on System z PDlic-PD-6.1.1.0-0.s390.rpm PDRTE-PD-6.1.1.0-0.s390.rpm
PDWebRTE-PD-6.1.1.0-0.i386.rpm PDWebRTE-PD-6.1.1.00.s390.rpm PDWPI-PD-6.1.1.0-0.s390.rpm
Access Manager Plug-in PDWPI-PD-6.1.1.0-0.i386.rpm for Web Servers package Access Manager Plug-in PDWPI-IHS-6.1.1.0-0.i386.rpm for IBM HTTP Web Server package
PDWPI-IHS-6.1.1.0-0.s390.rpm
Note: These packages must be installed on the same system as IBM HTTP Server. 10. Unmount the CD.
249
pdconfig
pdwebpi_start start
This step completes the setup of the Tivoli Access Manager Web server plug-in for IBM HTTP Server on Linux. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Solaris: plug-in for IBM HTTP Server

The following procedure uses pkgadd to install software packages and the pdconfig utility to configure them. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. To install the Web server plug-in for IBM HTTP Server on Solaris, complete the following steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that you have met the requirements listed in Preinstallation requirements on page 239. 4. Insert the IBM Tivoli Access Manager Web Security for Solaris CD. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 314.
250
6. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 330. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 325. 8. Install the Tivoli Access Manager packages (one at a time):
where: /cdrom/cdrom0/solaris Specifies the location of the package. /cdrom/cdrom0/solaris/pddefault Specifies the location of the installation administration script. and where packages are as follows: PDlic PDRTE PDWebRTE PDWPI PDWPIihs Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Web Security Runtime package. Specifies the Access Manager Plug-in for Web Servers package. Specifies the Access Manager Plug-in for IBM HTTP Server package.
Note: These packages must be installed on the same system as IBM HTTP Server. 9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Set the shared memory kernel parameters to values that are larger than the default values. Add the following lines to the /etc/system file to increase the parameters to acceptable values:
set shmsys:shminfo_shmmax=0x2000000 set shmsys:shminfo_shmseg=256 set shmsys:shminfo_shmmni=256
Restart your system for these changes to take affect. 11. Configure the Tivoli Access Manager packages as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time. Configure the Access Manager Runtime followed by the Access Manager Plug-in for Web Servers package. Depending on the package that you selected, you are prompted for configuration options. For assistance with configuration options, see Chapter 22, pdconfig options, on page 447. When a message appears indicating that the package has been successfully configured, select the x option twice to close the configuration utility. 12. Restart the Web server.
251
13. Customize the pdwebpi.conf file for your particular Web server. For information, see the IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide. 14. To start the plug-in process, change to the /opt/pdwebpi/bin directory and enter the following command:
pdwebpi_start start
This step completes the setup of the Tivoli Access Manager Web server plug-in for IBM HTTP Server on Solaris. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Windows: plug-in for IBM HTTP Server

To install plug-in for IBM HTTP Server on Windows 2003, follow these steps: 1. Log on as any member of the Administrators group. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert the IBM Tivoli Access Manager Web Security for Windows and change to the following directory on the drive where the CD is located:
/windows/PolicyDirector/Disk Images/Disk1
4. Run the setup.exe program from this directory. 5. Install the Tivoli Access Manager packages. To do so, run the setup.exe program, located in the following directory:
The Choose Setup Language dialog is displayed. 6. Select the language that you want to use for the installation and click OK. 7. The Welcome window is displayed. Click Next to continue. 8. Read the license agreement and click Yes if you agree to the terms. 9. Select the following packages and click Next: v Access Manager License v Access Manager Runtime v Access Manager Web Security Runtime v Access Manager Plug-in for Web Servers v Access Manager Plug-in for IBM HTTP Server 10. Click Next. The Choose Destination Location window is displayed. 11. Accept the default destination directory or click Browse to select a path to another directory on the local system. If the directory does not exist, you must confirm that you want the directory created or specify a directory that exists. 12. Click Next to install IBM HTTP Server. The Setup Complete window is displayed. 13. Click Finish to exit the installation program. 14. Configure the Access Manager Runtime followed by the Access Manager Plug-in for Web Servers package. To do so, click Start Programs IBM Tivoli Access Manager Configuration. For assistance with configuration options, see Chapter 22, pdconfig options, on page 447.
252
Note: You can also configure Tivoli Access Manager components by using the pdconfig utility from a command line. 15. Restart the Web server. 16. Customize the pdwebpi.conf file for your particular Web server. For information, see the IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide. This step completes the setup of the IBM HTTP Server.
Installing the plug-in for Internet Information Services

The Web server plug-in for Internet Information Services in available on supported Windows platforms only. The following procedure uses the setup.exe program to install software packages and the pdconfig utility to configure them. To install the Web server plug-in for Internet Information Services on Windows 2003, follow these steps: 1. Log on as any member of the Administrators group that has Administrator privileges. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that you have met the requirements listed in Preinstallation requirements on page 239. 4. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 315. 5. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 331. 6. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 326. 7. Insert the IBM Tivoli Access Manager Web Security for Windows CD. 8. Install the Tivoli Access Manager packages. To do so, run the setup.exe program, located in the following directory:
The Choose Setup Language dialog is displayed. 9. Select the language that you want to use for the installation and click OK. 10. The Welcome window is displayed. Click Next to continue. 11. Read the license agreement and click Yes if you agree to the terms. 12. Select the following packages and click Next: v Access Manager License v Access Manager Runtime v Access Manager Web Security Runtime v Access Manager Plug-in for Web Servers 13. Accept the default destination directory or click Browse to select a path to another directory on the local system. If the directory does not exist, you must confirm that you want the directory created or specify a directory that exists.
253
14. To start copying files to the destination folder, click Next. 15. Click Finish to exit the setup program. Select to restart your computer for changes to take effect. 16. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 17. You must configure IIS to use one of the default identities when running Tivoli Access Manager Plug-in for Microsoft Internet Information Services (IIS) on a Windows 2003 Domain Controller. Because of a limitation of the Windows 2003 operating system, using an identity other than the default user identities will cause a 503 Service Unavailable error. 18. Configure the Access Manager Runtime followed by the Access Manager Plug-in for Web Servers package. To do so, click Start Programs IBM Tivoli Access Manager Configuration. For assistance with configuration options, see Chapter 22, pdconfig options, on page 447. Note: You can also configure Tivoli Access Manager components by using the pdconfig utility from a command line. 19. Restart the Web server. 20. Customize the pdwebpi.conf file for your particular Web server. For information, see the IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide. This step completes the setup of the Tivoli Access Manager Web server plug-in for IIS Web Server on Windows. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Installing the plug-in for Sun Java System Web Server

Complete the instructions that apply to your operating system: v AIX on page 254 v Solaris on page 256 For more information, see the IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide.
AIX: plug-in for Sun Java System Web Server

The following procedure uses installp to install software packages and the pdconfig utility to configure them. To install the Web server plug-in for Sun Java System Web Server on AIX, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that you have met the requirements listed in Preinstallation requirements on page 239. 4. Insert the IBM Tivoli Access Manager Web Security for AIX CD and mount it.
254
5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 312. 6. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 327. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 326. 8. Install the Tivoli Access Manager packages:
where cd_mount_point is the directory where the CD is mounted and packages are as follows: PD.lic PD.RTE PDWeb.RTE PD.WPI Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Web Security Runtime package. Specifies the Access Manager Plug-in for Web Servers package.
PD.WPIiPlanet Specifies the Access Manager Plug-in for Sun Java System Web Server package. Note: These packages must be installed on the same system as the Sun Java System Web Server. 9. Unmount the CD. 10. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 11. Configure the Tivoli Access Manager packages as follows: a. Start the configuration utility:
pdconfig
pdwebpi_start start
This step completes the setup of the Tivoli Access Manager Web server plug-in for Sun Java System Web Server on AIX. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
255
Solaris: plug-in for Sun Java System Web Server

The following procedure uses pkgadd to install software packages and the pdconfig utility to configure them. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. To install the Web server plug-in for Sun Java System Web Server on Solaris, complete the following steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that you have met the requirements listed in Preinstallation requirements on page 239. 4. Insert the IBM Tivoli Access Manager Web Security for Solaris CD. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 314. 6. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 330. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 325. 8. Install the Tivoli Access Manager packages (one at a time):
where: /cdrom/cdrom0/solaris Specifies the location of the package. /cdrom/cdrom0/solaris/pddefault Specifies the location of the installation administration script. and where packages are as follows: PDlic PDRTE PDWebRTE PDWPI PDWPIipl Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Web Security Runtime package. Specifies the Access Manager Plug-in for Web Servers package. Specifies the Access Manager Plug-in for Sun Java System Web Server package.
Note: These packages must be installed on the same system as the Sun Java System Web Server. 9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Configure the Tivoli Access Manager packages as follows: a. Start the configuration utility:
pdconfig
256
pdwebpi_start start
This step completes the setup of the Tivoli Access Manager Web server plug-in for Sun Java System Web Server on Solaris. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
257
258
Chapter 14. Setting up a Web security development system

This chapter provides information about installing and configuring a Tivoli Access Manager Web security application development kit (ADK) system. For more information about this Web security system, see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide. You can set up this system using one of the following installation methods: v Installing using the installation wizard v Installing using native utilities on page 260 Note: During Tivoli Access Manager configuration on Linux operating systems, scripts may fail to run, stating that /bin/ksh was not found. On certain versions of SUSE Linux Enterprise Server, Yast-based installation does not install the Korn shell at /bin/ksh. Install the pdksh rpm that matches the hardware on which you are installing Tivoli Access Manager. The appropriate rpm can be found on either the SUSE Linux Enterprise Server installation media, or downloaded from the SUSE Linux Enterprise Server or Novell support web sites.

The install_amwebadk installation wizard simplifies the setup of a Tivoli Access Manager Web security application development kit (ADK) system by installing and configuring the following components in the appropriate order: v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server base client (as needed) v v v v v v v IBM Tivoli Directory Server 32-bit client (as needed) Tivoli Security Utilities Access Manager License Access Manager Runtime Access Manager Web Security Runtime Access Manager Application Development Kit (ADK) Access Manager Web Security Application Development Kit (ADK)
Note: The wizard detects if a component is installed and does not attempt to reinstall it.
259
Attention: v If you are installing on a Red Hat Enterprise Linux 5 operating system and Security-Enhanced Linux (SELinux) is enabled, you must disable it before installing using the installation wizard. Once you have completed installation and configuration, you can re-enable SELinux and continue to use it. If you do not want to disable SELinux, install using native utilities. v If your system hangs after issuing the wizard command or if a Java error message occurs after issuing the wizard command, ensure that Java is correctly installed. To install and configure a Tivoli Access Manager Web security development (ADK) system using the install_amwebadk wizard, follow these steps: 1. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 2. Ensure that the registry server and policy server are up and running (in normal mode). 3. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed and can be located using the PATH environment variable before running the installation wizard. For instructions, see page 318. 4. To view status and messages in a language other than English, which is the default, install a language support package before running an installation wizard. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 5. On Windows systems only, exit from all running programs. 6. Run the install_amwebadk program, located in the root directory on the IBM Tivoli Access Manager Web Security CD for the supported AIX, HP-UX, HP-UX on Integrity, Solaris, Solaris on x86_64 Linux on x86, Linux on System z, and Windows 2003 platforms. The installation wizard begins by prompting you for configuration information as described in install_amwebadk on page 430. Supply the required configuration information, or accept default values. 7. Compare the disk space that is required to install all of the IBM Tivoli Directory Server system components and prerequisites with the disk space that is available. If there is sufficient space, continue the installation. After reviewing the summary and accepting your installation selections and configuration choices, the components are installed and configured without further intervention. This step completes the setup of a Tivoli Access Manager Web security development (ADK) system. To set up another Tivoli Access Manager system, Follow the steps in the Installation process on page 21.

The following sections enable you to install Tivoli Access Manager software using a familiar platform-specific utility. Unlike automated installation wizards, you must manually install each component and any prerequisite software in the appropriate order. To configure software packages after installation, use the pdconfig utility. Complete the instructions that apply to your operating system:
260
v v v v v
AIX on page 261 HP-UX on page 262 Linux on page 263 Solaris on page 264 Windows on page 265
AIX: Installing a Web security development (ADK) system

The following procedure uses installp to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager Web security development (ADK) system on AIX, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the IBM Tivoli Access Manager Web Security for AIX CD and mount it. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 312. 6. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 327. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 323. 8. Install the Tivoli Access Manager packages:
where cd_mount_point is the directory where the CD is mounted and packages are as follows: PD.lic PD.RTE PDWeb.RTE PD.AuthADK PDWeb.ADK Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Web Security Runtime package. Specifies the Access Manager Application Development Kit package.
Specifies the Access Manager Web Services Application Development Kit package. 9. Unmount the CD 10. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 11. Configure the Access Manager Runtime package as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed.

261
b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. This step completes the setup of a Tivoli Access Manager Web security development (ADK) system. To set up another Tivoli Access Manager system, Follow the steps in the Installation process on page 21.
HP-UX: Installing a Web security development (ADK) system

The following procedure uses swinstall to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager Web security development (ADK) system on HP-UX or HP-UX on Integrity, complete the following steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the CD for your platform: v IBM Tivoli Access Manager Web Security for HP-UX v IBM Tivoli Access Manager Web Security for HP-UX on Integrity CD. 5. Mount the CD using the HP-UX mount command. For example, enter the following:

where /cd-rom/hp or /cd-rom/hp_ia64 specifies the directory and packages are as follows: PDlic PDRTE PDWebRTE PDADK Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Web Security Runtime package. Specifies the Access Manager Application Development Kit package.
262
Specifies the Access Manager Web Services Application Development Kit package. 10. Unmount the CD as follows: PDWebADK
umount /cd-rom
where /cd-rom is the mount point. 11. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 12. Configure the Access Manager Runtime package as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. This step completes the setup of a Tivoli Access Manager Web security development (ADK) system. To set up another Tivoli Access Manager system, Follow the steps in the Installation process on page 21.
Linux: Installing a Web security development (ADK) system

The following procedure uses rpm to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager Web security development (ADK) system on Linux, follow these steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files which are located in the /CD_mount_point/linux_s390 directory on the IBM Tivoli Access Manager Web Security for Linux on System z CD. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the IBM Tivoli Access Manager Web Security for Linux on x86 or the IBM Tivoli Access Manager Web Security for Linux on System z CD and mount it. 5. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86, linux_ppc for POWER, or linux_s390 for System z. 6. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 313. 7. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 329. 8. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 324. 9. Install the Tivoli Access Manager packages:
263
rpm -ihv packages
and where packages are as follows:

Linux on x86 Access Manager License package Access Manager Runtime package Access Manager Web Security Runtime package Access Manager Application Development Kit package Access Manager Web Services Application Development Kit package PDlic-PD-6.1.1.0-0.i386.rpm PDRTE-PD-6.1.1.00.i386.rpm PDWebRTE-PD-6.1.1.00.i386.rpm PDAuthADK-PD-6.1.1.00.i386.rpm PDWebADK-PD-6.1.1.00.i386.rpm Linux on System z Linux on POWER
PDlic-PD-6.1.1.0-0.s390.rpm PDlic-PD-6.1.1.0-0.ppc.rpm PDRTE-PD-6.1.1.00.s390.rpm PDWebRTE-PD-6.1.1.00.s390.rpm PDAuthADK-PD-6.1.1.00.s390.rpm PDWebADK-PD-6.1.1.00.s390.rpm PDRTE-PD-6.1.1.00.ppc.rpm PDWebRTE-PD-6.1.1.00.ppc.rpm PDAuthADK-PD-6.1.1.00.ppc.rpm PDWebADK-PD-6.1.1.00.ppc.rpm
10. Unmount the CD. 11. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 12. Configure the Access Manager Runtime package as follows: a. Start the configuration utility:
pdconfig
Solaris: Installing a Web security development (ADK) system

The following procedure uses pkgadd to install software packages and the pdconfig utility to configure them. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. To install a Tivoli Access Manager Web security development (ADK) system on Solaris or Solaris on x86_64, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the CD for your platform:
264
5. 6. 7. 8.
v IBM Tivoli Access Manager Web Security for Solaris v IBM Tivoli Access Manager Web Security for Solaris on x86_64 Install IBM Global Security Kit (GSKit), if not already installed. For instructions see page 314. Install the IBM Tivoli Directory Server client, if not already installed. For instructions see page 330. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 325. Install the Tivoli Access Manager packages: v For Solaris:

where -d /cdrom/cdrom0/solaris or -d /cdrom/cdrom0/solaris_x86 specifies the location of the package and where packages are as follows: PDlic PDRTE PDWebRTE PDADK PDWebADK Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Web Security Runtime package. Specifies the Access Manager Application Development Kit package.
Specifies the Access Manager Web Services Application Development Kit package. When a message queries Do you want to install these as setuid/setgid?, type Y and press Enter. When prompted to continue, type Y and press Enter. When the installation process is complete for each package, the following message is displayed:
Installation of packages successful.
9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Configure the Access Manager Runtime package as follows: a. Start the configuration utility:
pdconfig
Windows: Installing a Web security development (ADK) system

The following procedure uses the setup.exe program to install software packages and the pdconfig utility to configure them.
265
To install and configure a Tivoli Access Manager Web security development (ADK) system on Windows 2003, follow these steps: 1. Log on as a user with Administrator group privileges. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the IBM Tivoli Access Manager Web Security for Windows CD. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 315. 6. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 331. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 326. 8. Install the Tivoli Access Manager packages. To do so, run the setup.exe program located in the following directory:
Follow the online instructions and select to install the following packages: v Access Manager License v Access Manager Runtime v Access Manager Web Security Runtime v Access Manager Application Development Kit v Access Manager Web Security Application Development Kit 9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Configure the Access Manager Runtime package as follows: a. Start the configuration utility:
pdconfig
The Access Manager Configuration window is displayed. b. Select Access Manager Runtime and click Configure. Depending on the package that you selected, you are prompted for configuration options. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447. This step completes the setup of a Tivoli Access Manager Web security development (ADK) system. To set up another Tivoli Access Manager system, Follow the steps in the Installation process on page 21.
266
Chapter 15. Setting up WebSEAL

This chapter provides information about installing and configuring a Tivoli Access Manager WebSEAL system. For more information about this Web security system, see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide. You can set up this system using one of the following installation methods: v Installing using the installation wizard v Installing using native utilities on page 269 Notes: 1. During Tivoli Access Manager configuration on Linux operating systems, scripts may fail to run, stating that /bin/ksh was not found. On certain versions of SUSE Linux Enterprise Server, Yast-based installation does not install the Korn shell at /bin/ksh. Install the pdksh rpm that matches the hardware on which you are installing Tivoli Access Manager. The appropriate rpm can be found on either the SUSE Linux Enterprise Server installation media, or downloaded from the SUSE Linux Enterprise Server or Novell support web sites. 2. Before you install WebSEAL on an AIX system, make sure the xlC.rte and xlC.aix50.rte components are at the 8.0.0.4 level.

The install_amweb installation wizard simplifies the setup of a Tivoli Access Manager WebSEAL system by installing and configuring the following components in the appropriate order: v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server client (as needed) base and 32-bit v v v v v Tivoli Security Utilities Access Manager License Tivoli Access Manager Access Manager Runtime Tivoli Access Manager Access Manager Web Security Runtime Tivoli Access Manager Access Manager WebSEAL
Attention: v If you are installing on a Red Hat Enterprise Linux 5 operating system and Security-Enhanced Linux (SELinux) is enabled, you must disable it before installing using the installation wizard. Once you have completed installation and configuration, you can re-enable SELinux and continue to use it. If you do not want to disable SELinux, install using native utilities. v If your system hangs after issuing the wizard command or if a Java error message occurs after issuing the wizard command, ensure that Java is correctly installed. Notes: 1. The wizard detects if a component is installed and does not attempt to reinstall it.
267
2. You can use the following browsers for the Access Manager WebSEAL interface. v Microsoft Internet Explorer for Windows v Mozilla for UNIX or Linux See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database for the most recent information about which versions of the browsers are supported. 3. If you install WebSEAL on a system that also has Tivoli Access Manager for Operating Systems installed, be sure to add the WebSEAL admin user to the Tivoli Access Manager for Operating Systems admin group. To install and configure a Tivoli Access Manager WebSEAL system using the install_amweb wizard, follow these steps: 1. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 2. Ensure that the registry server and policy server are up and running (in normal mode). 3. Ensure that the Java Runtime Environment version 1.5.0 SR5 provided with Tivoli Access Manager is installed and can be located using the PATH environment variable before running the installation wizard. For instructions, see page 318. 4. To view status and messages in a language other than English, which is the default, install a language support package before running an installation wizard. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. If you install the language pack support package after configuring the WebSEAL instance, you must manually copy your language-specific .html files into the proper directories: a. Copy the language-specific .html files in the /opt/pdweb/html.tivoli/lib/ html/<lang> directory to the /opt/pdweb/www-default/lib/html/<lang> directory b. Copy the language-specific .html files in the /opt/pdweb/html.tiovli/lib/ errors/<lang> directory to the /opt/pdweb/www-default/lib/errors/<lang> directory 5. On Windows systems only, exit from all running programs. 6. Run the install_amweb program, located in the root directory on the IBM Tivoli Access Manager Web Security CD for the supported AIX, HP-UX, HP_UX on Integrity, Linux on x86, Linux on System z, Solaris, Solaris on x86_64 and Windows 2003 platforms. The installation wizard begins by prompting you for configuration information as described in install_amweb on page 424. Supply the required configuration information, or accept default values. 7. Compare the disk space that is required to install all of the Tivoli Access Manager WebSEAL system components and prerequisites with the disk space that is available. If there is sufficient space, continue the installation. After reviewing the summary and accepting your installation selections and configuration choices, the components are installed and configured without further intervention.
268
This step completes the setup of a Tivoli Access Manager WebSEAL system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. Note: The Tivoli Access Manager WebSEAL system supports multiple instances of WebSEAL on each host computer. See the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide for information on configuring multiple instances of WebSEAL.

The following sections enable you to install Tivoli Access Manager software using a familiar platform-specific utility. Unlike automated installation wizards, you must manually install each component and any prerequisite software in the appropriate order. To configure software packages after installation, use the pdconfig utility. Notes: 1. If you install WebSEAL on a system that also has Tivoli Access Manager for Operating Systems installed, be sure to add the WebSEAL admin user to the Tivoli Access Manager for Operating Systems admin group. 2. Alternatively, you can configure the Access Manager WebSEAL component using the amwebcfg utility, which is called by the pdconfig utility. For more information about this utility, see amwebcfg on page 552. Complete the instructions that apply to your operating system: v AIX on page 269 v HP-UX on page 270 v Linux on page 272 v Solaris on page 273 v Windows on page 275
AIX: Installing WebSEAL

The following procedure uses installp to install software packages and the pdconfig utility to configure them. Attention: Before you install WebSEAL on an AIX system, make sure the xlC.rte and xlC.aix50.rte components are at the 8.0.0.4 level. To install a Tivoli Access Manager WebSEAL system on AIX, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the IBM Tivoli Access Manager Web Security for AIX CD and mount it. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 312. 6. Install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 327.
269
7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 323. 8. Install the Tivoli Access Manager packages:
where cd_mount_point is the directory where the CD is mounted and packages are as follows: PD.lic Specifies the Access Manager License package. PD.RTE Specifies the Access Manager Runtime package. PDWeb.RTE Specifies the Access Manager Web Security Runtime package. PDWeb.Web Specifies the Access Manager WebSEAL package. 9. Unmount the CD. 10. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 11. Configure the Access Manager Runtime followed by the Access Manager WebSEAL package as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time. Depending on the package that you selected, you are prompted for configuration options. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447. When a message is displayed that indicates the package has been successfully configured, press Enter to configure another package or select the x option twice to close the configuration utility. This step completes the setup of a Tivoli Access Manager WebSEAL system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. Note: The Tivoli Access Manager WebSEAL system supports multiple instances of WebSEAL on each host computer. See the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide for information on configuring multiple instances of WebSEAL.
HP-UX: Installing WebSEAL

The following procedure uses swinstall to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager WebSEAL system on HP-UX or HP-UX on Integrity, complete the following steps:
270
1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the CD for your platform: v IBM Tivoli Access Manager Web Security for HP-UX v IBM Tivoli Access Manager Web Security for HP-UX on Integrity 5. Mount the CD using the HP-UX mount command. For example, enter the following:

where /cd-rom/hp or /cd-rom/hp_ia64 specifies the directory and packages are as follows: PDlic PDRTE Specifies the Access Manager Runtime package. PDWebRTE Specifies the Access Manager Web Security Runtime package. PDWeb Specifies the Access Manager WebSEAL package. 10. Unmount the CD as follows:
umount /cd-rom
where /cd-rom is the mount point. 11. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 12. Configure the Access Manager Runtime followed by the Access Manager WebSEAL package as follows: a. Start the configuration utility:
pdconfig
271
Linux: Installing WebSEAL

The following procedure uses rpm to install software packages and the pdconfig utility to configure them. To install a Tivoli Access Manager WebSEAL on Linux on x86 or Linux on System z, follow these steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files which are located in the /CD_mount_point/linux_s390 directory on the IBM Tivoli Access Manager Web Security for Linux on System z CD. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the IBM Tivoli Access Manager Web Security for Linux on x86 or the IBM Tivoli Access Manager Web Security for Linux on System z CD and mount it. 5. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86 or linux_s390 for System z. 6. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 313. 7. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 329. 8. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 324. 9. Install the Tivoli Access Manager packages:
rpm -ihv packages
272

Linux on x86 Access Manager License package Access Manager Runtime package Access Manager Web Security Runtime package Access Manager WebSEAL package PDlic-PD-6.1.1.0-0.i386.rpm PDRTE-PD-6.1.1.0-0.i386.rpm PDWebRTE-PD-6.1.1.00.i386.rpm PDWeb-PD-6.1.1.0-0.i386.rpm Linux on System z PDlic-PD-6.1.1.0-0.s390.rpm PDRTE-PD-6.1.1.0-0.s390.rpm PDWebRTE-PD-6.1.1.0-0.s390.rpm
PDWeb-PD-6.1.1.0-0.s390.rpm
10. Unmount the CD. 11. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 12. Configure the Access Manager Runtime followed by the Access Manager WebSEAL package as follows: a. Start the configuration utility:
pdconfig
Solaris: Installing WebSEAL

The following procedure uses pkgadd to install software packages and the pdconfig utility to configure them. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only.
273
To install a Tivoli Access Manager WebSEAL system on Solaris or Solaris x86_64, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the CD for your platform: v IBM Tivoli Access Manager Web Security for Solaris v IBM Tivoli Access Manager Web Security for Solaris on x86_64 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 314. 6. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions see page 330. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 325. 8. Install the Tivoli Access Manager packages (one at a time): v For Solaris:

where /cdrom/cdrom0/solaris or /cdrom/cdrom0/solaris_x86 specifies the location of the package and packages are as follows: PDlic PDRTE Specifies the Access Manager Runtime package. PDWebRTE Specifies the Access Manager Web Security Runtime package. PDWeb Specifies the Access Manager WebSEAL package. When a message queries Do you want to install these as setuid/setgid, type Y and press Enter. When prompted to continue, type Y and press Enter. When the installation process is complete for each package, the following message is displayed:
Installation of packages successful.
9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Configure the Access Manager Runtime followed by the Access Manager WebSEAL package, as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed.
274
b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time. Depending on the package that you selected, you are prompted for configuration options. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447. When a message is displayed that indicates the package has been successfully configured, press Enter to configure another package or select the x option twice to close the configuration utility. This step completes the setup of a Tivoli Access Manager WebSEAL system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. Note: The Tivoli Access Manager WebSEAL system supports multiple instances of WebSEAL on each host computer. See the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide for information on configuring multiple instances of WebSEAL.
Windows: Installing WebSEAL

The following procedure uses the setup.exe program to install software packages and the pdconfig utility to configure them. To install and configure a Tivoli Access Manager WebSEAL system on Windows 2003, follow these steps: 1. Log on as any member of the Administrators group. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Insert the IBM Tivoli Access Manager Web Security for Windows CD. 5. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 315. 6. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 331. 7. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 326. 8. Install the Tivoli Access Manager packages. To do so, run the setup.exe program located in the following directory:
Follow the online instructions and select to install the following packages: v Access Manager License v Access Manager Runtime v Access Manager Web Security Runtime v Access Manager WebSEAL
275
9. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 10. Configure the Access Manager Runtime followed by the Access Manager WebSEAL package as follows: a. Start the configuration utility:
pdconfig
The Access Manager Configuration window is displayed. b. Select the Access Manager Runtime package and click Configure. c. Select the Access Manager WebSEAL package and click Configure. Depending on the package that you selected, you are prompted for configuration options. For assistance with these configuration options, see Chapter 22, pdconfig options, on page 447. This step completes the setup of a Tivoli Access Manager WebSEAL system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. Note: The Tivoli Access Manager WebSEAL system supports multiple instances of WebSEAL on each host computer. See the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide for information on configuring multiple instances of WebSEAL.
276
Part 4. Session management system installation

Chapter 16. Setting up a session management server . . . . . . . . . . . . . . . Preinstallation requirements . . . . . . . . Installing using the installation wizard . . . . . Installing using native utilities. . . . . . . . AIX: Installing a session management server system . . . . . . . . . . . . . . HP-UX: Installing a session management server system . . . . . . . . . . . . . . Linux: Installing a session management server system . . . . . . . . . . . . . . Solaris: Installing a session management server system . . . . . . . . . . . . . . Windows: Installing a session management server system . . . . . . . . . . . . Creating the login history database . . . . . . Deploying the Integrated Solutions Console extension . . . . . . . . . . . . . . . Deploying the Session Management Server application . . . . . . . . . . . . . . Deploying using the smscfg utility . . . . . Deploying using Session Management Server Integrated Solutions Console (ISC) . . . . . Configuring the session management server . . . Configuring the session management server using the smscfg utility . . . . . . . . . Configuring the session management server using the Integrated Solutions Console (ISC) . . Chapter 17. Setting up the session management command line. . . . . . . . . . . . . Preinstallation requirements . . . . . . . . Installing using the installation wizard . . . . . Installing using native utilities. . . . . . . . AIX: Installing the session management command line . . . . . . . . . . . . HP-UX: Installing the session management command line . . . . . . . . . . . . Linux: Installing the session management command line . . . . . . . . . . . . Solaris: Installing the session management command line . . . . . . . . . . . . Windows: Installing the session management command line . . . . . . . . . . . . 279 280 282 285 285 286 287 287 288 289 291 291 291 292 292 292 293
295 295 296 298 298 299 301 302 304
277
278
Chapter 16. Setting up a session management server

This chapter provides information about installing and configuring a Tivoli Access Manager session management server (SMS) system. Before you begin, review the following information about the session management server: v The session management server is an optional component of Tivoli Access Manager. It runs as a service of the IBM WebSphere Application Server. v The session management server can manage and monitor sessions across dispersed, clustered Web servers. v If you want to set up and configure cluster members to be part of a node group that represents a WebSphere eXtreme Scale zone, perform the task before deploying and configuring the SMS. For details, see the WebSphere eXtreme Scale discussion in the IBM Tivoli Access Manager Session Management Server Administration Guide. v Using the session management server allows the Access Manager WebSEAL and Access Manager Plug-in for Web Servers components to share a unified view of all current sessions. Session management server permits any authorized user to monitor and administer user sessions. v The session management server records a variety of session information, including: session inactivity and lifetime timeout information, login activity, and concurrent login information. Also, the session management server records session statistics information, such as the number of users that are currently logged in. v The extent of a session within the cluster is referred to as the session realm. The session management server can provide a seamless single sign-on experience across the session realm. Configure by adding or removing session realms. v The session management server ensures that session policy remains consistent across clusters of Web security servers. Replica sets within a session realm share the Tivoli Access Manager registry and policy database. v To configure the session management server system, use the smscfg utility. Run the command from the system where the session management server is installed. v You can administer the session management server either by using any (or all) of the following tools: pdadmin Is installed as part of the Tivoli Access Manager Runtime package. Use this interface to manage access control lists, groups, servers, users, objects, and other resources in your secure domain. You can also automate certain management functions by writing scripts that use pdadmin commands. pdsmsadmin Uses the SOAP protocol to communicate directly with a session management server installed on WebSphere Application Server. The session management server Integrated Solutions Console A graphical user interface that resides on the WebSphere Application Server, and is installed as an extension to the WebSphere ISC. v WebSphere Application Server 6.1 includes version 6.0 of the Tivoli Access Manager runtime for Java. With the 6.0 version of the Tivoli Access Manager
279
runtime for Java, the session management server cannot be configured to use multiple Tivoli Access Manager authorization servers. If you intend to configure the session management server to use multiple authorization servers, first install and configure Tivoli Access Manager runtime for Java version 6.1 into WebSphere Application Server For more information about distributed sessions management, see the IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide. You can set up this system using one of the following installation methods: v Installing using the installation wizard on page 282 v Installing using native utilities on page 285 Following installation, you can perform the following tasks: v Creating the login history database on page 289 v Deploying the Integrated Solutions Console extension on page 291 v Deploying the Session Management Server application on page 291 v Configuring the session management server on page 292
Before you install and configure a Tivoli Access Manager session management server, you must perform the following preinstallation tasks (as required). These requirements are applicable, regardless of which installation method you plan to use. v During Tivoli Access Manager configuration on Linux operating systems, scripts may fail to run, stating that /bin/ksh was not found. On certain versions of SUSE Linux Enterprise Server, Yast-based installation does not install the Korn shell at /bin/ksh. Install the pdksh rpm that matches the hardware on which you are installing Tivoli Access Manager. The appropriate rpm can be found on either the SUSE Linux Enterprise Server installation media, or downloaded from the SUSE Linux Enterprise Server or Novell support web sites. v When you deploy the session management server to a cluster, the ObjectGrid toolkit automatically deploys to handle the distribution and management of session data between the different nodes within the cluster. The installation of this toolkit requires approximately 600 MB of disk space on the partitions which hold the WebSphere installation for each node. If you intend to deploy the session management server to a cluster, ensure that you have adequate disk space to install the ObjectGrid toolkit. v If the IBM WebSphere Application Server is installed, the session management server can be run as a service. The IBM WebSphere Application Server can also be installed as a standalone server, and the session management server can be deployed to an application server or to a cluster. v A Tivoli Access Manager environment must exist before installing the session management server. v After installing the session management server, you must reconfigure the Access Manager WebSEAL, or Access Manager Plug-in for Web Servers (or both) to use the session management server for managing sessions. v The structure of your session realms and associated replica set must be planned and mapped.
280
v Determine whether you want to have replicated session management server instances that provide failover capability and improved performance. v If you want to administer the session management system using the pdamin utility, install and configure an instance of the Tivoli Access Manager authorization server. v If WebSphere Application Server is running as a non-root user on a UNIX or Linux system, the following steps must be performed: As the root user, grant the WebSphere user write permission to the following directories (and all subdirectories) in the WebSphere Application Server base install directory:
deploytool java lib
These permissions can be removed after the session management server has been configured. If Tivoli Common Directory is being enabled on the system for the first time, as the root user, create the following directories and grant the WebSphere user permission to create subdirectories in them:
/etc/ibm /var/ibm
If Tivoli Common Directory is enabled, grant the WebSphere user write access to the base logging directory, such as /var/ibm/tivoli/common. This permission can be removed after the session management server has been configured. If Tivoli Common Directory is enabled, grant the WebSphere user write access to the session management server logging subdirectory, CTGSM, in the base logging directory. v Decide if you wish to enable WebSphere global security to ensure that administration actions are secured. Information on enabling global security can be found in the WebSphere Application Server information center at: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp Specifically, the Setting up and enabling security topic: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/ com.ibm.websphere.nd.doc/info/ae/ae/tsec_secsetupenable.html v If WebSphere global security is enabled, create three groups in WebSphere Application Server that can be used to manage the session management server environment: A group for administrators, for example: sms-administrators A group for delegators for example: sms-delegators A group for clients, for example: sms-clients The names of the groups must follow the naming conventions of the user registry used by WebSphere Application Server. You can use existing groups for this purpose, if desired. v Determine whether you want to enable Secure Sockets Layer (SSL) for session management server communications. You can enable SSL between the Tivoli Access Manager servers in the replica set and the IBM WebSphere Application Server where the session management server is installed.
281
v If you plan to use Tivoli Access Manager certificates to authenticate with SMS, or if you want to use the Tivoli Access Manager sec_master user (or other users and groups defined in the secAuthority=Default suffix) to administer SMS using either the session management command line or Integrated Solutions Console (ISC), then you must unconfigure the base DN in the LDAP user registry used by WebSphere Application Server. Information on modifying the base DN for the WebSphere Application Server user registry can be found in the WebSphere Application Server information center at: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp Specifically, the Configuring Lightweight Directory Access Protocol user registries topic: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/ com.ibm.websphere.base.doc/info/aes/ae/tsec_ldap.html

The install_amsms installation wizard simplifies the setup of a Tivoli Access Manager session management server system by installing and configuring the following components in the appropriate order: v IBM WebSphere Application Server (provided on separate CDs) v Access Manager Session Management Server Note: The wizard detects if a component is installed and does not attempt to reinstall it. If IBM WebSphere Application Server is not already installed and configured on the system, it can be installed as a standalone server during the wizard installation. Otherwise, the installation wizard permits you to use a previously installed IBM WebSphere Application Server, perhaps in a cluster environment. The default SOAP communications port number used by the installation wizard is 8879, which is the default port number used by WebSphere Application Server Network Deployment. Attention: v If you are installing on a Red Hat Enterprise Linux 5 operating system and Security-Enhanced Linux (SELinux) is enabled, you must disable it before installing using the installation wizard. Once you have completed installation and configuration, you can re-enable SELinux and continue to use it. If you do not want to disable SELinux, install using native utilities. v If your system hangs after issuing the wizard command or if a Java error message occurs after issuing the wizard command, ensure that Java is correctly installed. To install and configure a session management server system using the install_amsms wizard, follow these steps: 1. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database.
282
2. Perform the preinstallation tasks as listed in Preinstallation requirements on page 280. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed and can be located using the PATH environment variable before running the installation wizard. For instructions, see page 318. 5. Because the installation wizard uses the IBM WebSphere Application Server console, ensure that the console is functioning correctly. For example, if you enabled global security within the IBM WebSphere Application Server, the correct security information must also be provided for the console in the was_install_root/profiles/default/properties/soap.client.props properties file. 6. To view status and messages in a language other than English, install a language support package before running an installation wizard. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 7. If the policy server has Federal Information Processing Standard (FIPS) mode enabled, then WebSphere Application Server must be installed and FIPS enabled before using the installation wizard. 8. If WebSphere security and Federal Information Processing Standard (FIPS) mode are enabled, run the IBM WebSphere Application Server setupCmdLine script to set up the correct execution environment for the installation wizard. The setupCmdLine command is located in the bin directory associated with the WebSphere Application Server profile you are using. UNIX and Linux . ./setupCmdLine.sh Windows setupCmdLine.bat 9. On Windows systems only, exit from all running programs. 10. Run the install_amsms program, located in the root directory on the IBM Tivoli Access Manager Shared Session Management CD for the supported AIX, Linux on x86, Linux on System z, Solaris, and Windows 2003 platforms. The installation wizard begins by prompting you for configuration information as described on page 409. Supply the required configuration information, or accept default values. 11. Compare the disk space that is required to install all of the Tivoli Access Manager session management server system components and prerequisites with the disk space that is available. If there is sufficient space, continue the installation. After reviewing the summary and accepting your installation selections and configuration choices, the components are installed and configured without further intervention. Note: During installation of the session management server: v The DSess.ear file will be deployed as an IBM WebSphere Application Server application. Note that you cannot deploy the Session Management Server application in IBM WebSphere Application Server under a different name. You can deploy only one instance of the Session Management Server application to the IBM WebSphere Application Server if you install using the installation wizard. Additional instances of the Session Management Server application can be deployed at a later stage using the smscfg utility.
283
v A warning message will be displayed regarding the implementation of custom permissions. This is expected WebSphere behavior and does not indicate that your application service has been compromised. Installation should continue without further errors. This step completes the setup of a Tivoli Access Manager session management server system. After installing the session management server, you must configure the Access Manager WebSEAL, or Access Manager Plug-in for Web Servers (or both) to use the session management server for managing sessions. See the IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide for detailed configuration information. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
284

The following sections enable you to install Tivoli Access Manager software using a familiar platform-specific utility. Unlike automated installation wizards, you must manually install each component and any prerequisite software in the appropriate order. To configure software packages after installation, use the smscfg utility. If you intend to administer the session management server from the command line using the pdadmin utility, a Tivoli Access Manager authorization server must be installed on the same system where you install the session management command line. The Access Manager Session Management Server component must be installed and configured before configuring the Access Manager Session Management Command Line component. Complete the instructions that apply to your operating system: v AIX on page 285 v HP-UX on page 286 v Linux on page 287 v Solaris on page 287 v Windows on page 288
AIX: Installing a session management server system

Setting up a session management server system is a 3-part process that consists of installation, deployment to the application server or cluster, and configuration. To install the Tivoli Access Manager session management server system, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Perform the preinstallation tasks as listed in Preinstallation requirements on page 280. 4. Ensure that the registry server and policy server are up and running (in normal mode). 5. Install the IBM WebSphere Application Server. For instructions, see page 333. 6. Insert the IBM Tivoli Access Manager Shared Session Management for AIX CD and mount it. 7. Install the following Tivoli Access Manager packages:
where cd_mount_point is the directory where the CD is mounted and where packages are as follows: PD.lic PD.SMS Specifies the Access Manager License package. Specifies the Access Manager Session Management Server package.
285
8. Unmount the CD. 9. If you are intending to use a DB2 database to store login history information, you must create the database as described in Creating the login history database on page 289. After installing the session management server, continue with Deploying the Session Management Server application on page 291 and Configuring the session management server on page 292.
HP-UX: Installing a session management server system

Setting up a session management server system is a 3-part process that consists of installation, deployment to the application server or cluster, and configuration. To install Tivoli Access Manager on HP-UX, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Perform the preinstallation tasks as listed in Preinstallation requirements on page 280. 4. Ensure that the registry server and policy server are up and running (in normal mode). 5. Install the IBM WebSphere Application Server. For instructions, see page 334. 6. Insert the IBM Tivoli Access Manager Shared Session Management for HP-UX CD. 7. Mount the CD using the HP-UX mount command. For example, enter the following:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. 8. Install the Tivoli Access Manager packages:
where /cd-rom/hp is the directory and where packages are as follows: PDlic PDSMS Specifies the Access Manager License package.
Specifies the Access Manager Session Management Server package. 9. Unmount the CD as follows:
umount /cd-rom
where /cd-rom is the mount point. 10. If you are intending to use a DB2 database to store login history information, you must create the database as described in Creating the login history database on page 289. After installing the session management server, continue with Deploying the Session Management Server application on page 291 and Configuring the session management server on page 292.
286
Linux: Installing a session management server system

Setting up a session management server system is a 3-part process that consists of installation, deployment to the application server or cluster, and configuration. To install Tivoli Access Manager packages on Linux, follow these steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files which are located in the /CD_mount_point/linux_s390 directory on the IBM Tivoli Access Manager Shared Session Management for Linux on System z CD. 1. Log on as root. 2. Ensure that the registry server and policy server are up and running (in normal mode). 3. Install the IBM WebSphere Application Server. For instructions, see page 335. 4. Insert the IBM Tivoli Access Manager Shared Session Management for Linux on x86 CD or the IBM Tivoli Access Manager Shared Session Management for Linux on System z CD and mount it. 5. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86 or linux_s390 for System z. 6. Install the Tivoli Access Manager packages:
rpm -ihv packages

Linux on x86 Access Manager License package Access Manager Session Management Server package PDlic-PD-6.1.1.0-0.i386.rpm PDSMS-PD-6.1.1.0-0.i386.rpm Linux on System z PDlic-PD-6.1.1.0-0.s390.rpm PDSMS-PD-6.1.1.0-0.s390.rpm
7. Unmount the CD. 8. If you are intending to use a DB2 database to store login history information, you must create the database as described in Creating the login history database on page 289. After installing the session management server, continue with Deploying the Session Management Server application on page 291 and Configuring the session management server on page 292.
Solaris: Installing a session management server system

The following procedure uses pkgadd to install software packages. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. Setting up a session management server system is a 3-part process that consists of installation, deployment to the application server or cluster, and configuration. To install a Tivoli Access Manager package, follow these steps: 1. Log on as root.
287
2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Perform the preinstallation tasks as listed in Preinstallation requirements on page 280. 4. Ensure that the registry server and policy server are up and running (in normal mode). 5. Install the IBM WebSphere Application Server. For instructions, see page 336. 6. Insert the IBM Tivoli Access Manager Shared Session Management for Solaris CD. 7. Install the Tivoli Access Manager packages:
where: /cdrom/cdrom0/solaris Specifies the location of the package. /cdrom/cdrom0/solaris/pddefault Specifies the location of the installation administration script. and where packages are as follows: PDlic PDSMS Specifies the Access Manager License package. Specifies the Access Manager Session Management Server package.
When the installation process is complete for each package, the following message is displayed:
8. If you are intending to use a DB2 database to store login history information, you must create the database as described in Creating the login history database on page 289. After installing the session management server, continue with Deploying the Session Management Server application on page 291 and Configuring the session management server on page 292.
Windows: Installing a session management server system

Setting up a session management server system is a 3-part process that consists of installation, deployment to the application server or cluster, and configuration. To install a Tivoli Access Manager session management server system on Windows 2003 follow these steps: 1. Log on as any member of the Administrators group. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Perform the preinstallation tasks as listed in Preinstallation requirements on page 280. 4. Ensure that the registry server and policy server are up and running (in normal mode). 5. Install the IBM WebSphere Application Server. For instructions, see page 336.
288
6. Insert the IBM Tivoli Access Manager Shared Session Management for Windows CD. 7. Install the Access Manager Session Management Server package. To do so, run the setup.exe program located in the following directory:
Follow the online instructions and select to install the following packages: v Access Manager License v Access Manager Session Management Server 8. If you are intending to use a DB2 database to store login history information, you must create the database as described in Creating the login history database. After installing the session management server, continue with Deploying the Session Management Server application on page 291 and Configuring the session management server on page 292.
Creating the login history database

If you intend to use a DB2 database to store login history information, you must create the database before deploying the Session Management Server application. If you are not planning to use a DB2 database, continue with Deploying the Session Management Server application on page 291. To create a DB2 database for login history information: 1. A user on the DB2 database server system must own the DB2 database. Create a user on the system and setup that user with a valid password. You might choose to indicate that the password never expires, if this is consistent with your organization's security policy. For example, you might call this user tamloginuser. 2. Create a new database in DB2. For example, you might call the database TAMLOGIN. Configure the database to permit TCP/IP connections on port 50000. 3. Open the DB2 Control Center and locate your database. 4. Click User and Group Objects DB Users and then click Add New User. 5. Add the user and grant the authorities of Connect to database and Create tables. Click OK. 6. Configure WebSphere Application Server to access the database. Information on performing this task can be found in the WebSphere Application Server information center at: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp Specifically, the following topics: Creating and configuring a JDBC provider and data source http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/ index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ ae/tdat_tccrtprovds.html Vendor-specific data sources minimum required settings http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/topic/ com.ibm.websphere.base.doc/info/aes/ae/rdat_minreq.html 7. Make the IBM DB2 JDBC driver available to WebSphere Application Server by copying the db2jcc.jar and db2jcc_license_cu.jar files from the DB2 directory tree to the lib directory of your application server.
289
UNIX and Linux /opt/IBM/WebSphere/AppServer/lib Windows C:\Program Files\IBM\WebSphere\AppServer\lib 8. Verify that the IBM JDBC driver works in WebSphere by changing to the lib subdirectory and entering the following command:
java -classpath db2jcc.jar com.ibm.db2.jcc.DB2Jcc -version
9. Open the WebSphere Application Server administrative console and log in, if necessary. 10. Click Environment WebSphere Variables. 11. Set the DB2UNIVERSAL_JDBC_DRIVER_PATH variable to the directory where the db2jcc.jar file is located. Save your changes. 12. Log out of the WebSphere Application Server administrative console. 13. Restart your application servers. If using WebSphere Application Server Network Deployment, you also must restart the deployment manager and node manager. 14. Open the WebSphere Application Server administrative console and log in again. 15. Click Resources JDBC Providers. 16. In a single server environment, select your application server node; in WebSphere Application Server Network Deployment, select your cluster. 17. Click New to create a new JDBC provider. In the Database type field, select DB2. In the Provider type field, select DB2 Universal JDBC Driver Provider. In the Implementation type field, select Connection pool data source. Click Next to continue. 18. On the JDBC Providers Summary page, click Apply to accept the default settings. Do not restart WebSphere Application Server at this time. 19. On the JDBC Providers page, select DB2 Universal JDBC Provider. 20. Click Data sources and then click New to create a new data source and specify the following information: Database name TAMLOGIN Driver type 4 Server name host_name_of_DB2_system Port number 50000 21. Click Apply. You are returned to the previous page. 22. On the JDBC Providers page, select DB2 Universal JDBC Driver DataSource. 23. Click Related items and then click J2EE Connector Architecture (J2C) authentication data entries. 24. Click New to create a new authentication data entry and specify the following information: Alias logindbuser
User ID tamloginuser
290
Password password_for_tamloginuser Description Access to TAM Login History Database Click Apply. You are returned to the previous page. Return to the DB2 Universal JDBC Driver DataSource properties and under Component managed authentication alias, select the logindb2user alias. Click Apply. Log out of the WebSphere Application Server administrative console. Restart your application servers. If using WebSphere Application Server Network Deployment, you also must restart the deployment manager and node manager. Open the WebSphere Application Server administrative console and log in again. Click Resources JDBC Providers DB2 Universal JDBC Driver Provider Data Sources. Select your data source and click Test connection. If the test is not successful, diagnose and correct the problem. Otherwise, continue with Deploying the Session Management Server application.
25. 26.
27. 28.
29. 30. 31.
Deploying the Integrated Solutions Console extension

The Integrated Solutions Console (ISC) Session Management Server extension is a Graphical User Interface (GUI) that allows you to deploy, configure and administer the Session Management Server. After installing the session management server using native installation utilities, you can deploy the ISC using the smscfg utility. Note: The instructions in this section assume you are running the smscfg utility in interactive mode. To deploy the ISC extension using the smscfg utility: 1. Prior to running smscfg run the WebSphere setupCmdLine.bat or ". ./setupCmdLine.sh" script, depending on your operating system. 2. Deploy ISC using the configuration utility:
smscfg -action deploy
3. When prompted, specify ISC as the instance name. See the IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide for more detailed deployment information.
Deploying the Session Management Server application

After installing the session management server using native installation utilities, the DSess.ear file can be deployed using the smscfg utility or using the Session Management Server ISC.
Deploying using the smscfg utility

To deploy the application using the smscfg utility: Note: The instructions in this section assume you are running the smscfg utility in interactive mode.
291
1. Prior to running smscfg run the WebSphere setupCmdLine.bat or ". ./setupCmdLine.sh" script, depending on your operating system. 2. Deploy the Session Management Server application using the configuration utility:
smscfg -action deploy
See the IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide for detailed deployment information.
Deploying using Session Management Server Integrated Solutions Console (ISC)

To deploy an instance of the Session Management Server application using the Session Management Server Integrated Solutions Console (ISC): Note: In order to use the ISC to deploy the Session Management Server, you must first deploy the ISC extension. See Deploying the Integrated Solutions Console extension on page 291 for more information. 1. Log in to the session management server ISC as the Session Management Server administrator. 2. Select Tivoli Session Management Server > Deployment. 3. In the Application name field, enter the name of the Session Management Server application. This field is required. 4. Enter the WebSphere Application Server cell element to deploy the Session Management Server instance to in the Target field. 5. In the Virtual host field, enter the web server virtual hosts that will service the Session Management Server application instance. 6. Enter the data source to use with the Session Management Server application instance in the Data source field. 7. When you are ready to deploy, click Deploy. See the IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide for detailed deployment information.
Configuring the session management server

After installing the session management server using native utilities and deploying the DSess.ear application, you can configure the session management server using the smscfg utility or the Session Management Server Integrated Solutions Console (ISC).
Configuring the session management server using the smscfg utility

To configure the session management server using the smscfg utility, do the following: 1. Run the IBM WebSphere Application Server setupCmdLine script to set up the correct execution environment for running the session management server configuration tool. The setupCmdLine command is located in the IBM WebSphere Application Server bin directory of the profile you are using. 2. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37.
292
3. Configure the Access Manager Session Management Server package using the configuration utility:
smscfg -action config
See the IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide for detailed configuration information. This step completes the setup of a Tivoli Access Manager session management server system. After configuration of the session management server, you must configure the Access Manager WebSEAL, or Access Manager Plug-in for Web Servers (or both) to use the session management server for managing sessions. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Configuring the session management server using the Integrated Solutions Console (ISC)
To configure the session management server using the Session Management Server Integrated Solutions Console (ISC), do the following: 1. Configure session realms: a. Log in to the Session Management Server ISC as the Session Management Server administrator. b. Select Tivoli Session Management Server > Configuration. c. Select the Session Management Server instance you want to configure and click Configure. Note: If you have just deployed or started an instance and it doesn't appear in the list of Session Management Server instances, click Update SMS instance list. d. Select Session Realms. e. Select whether enforcement of session limit and displacement policy is enabled. f. In the Session realm name field, enter the name of the session realm being configured. g. Select the Limit maximum session for this session realm checkbox to limit the maximum number of simultaneous sessions stored in this session realm. Enter the maximum number of simultaneous sessions to be stored in the Maximum sessions field. h. When you have entered the session realm information, click Update session realms. The session realm table is updated with the configuration values you specified. i. To create a replica set, select the session realm name from the Session realm name drop-down menu. j. Specify the name of the replica set being configured in the Replica set name field. k. Click Update replica sets to update the replica set table with the replica set values you specified. 2. Click Database storage. If you want the Session Management Server to store session information in a database select the Enable the database storage check box. 3. Click TAM integration. Specify whether Tivoli Access Manager integration is enabled. To enable Tivoli Access Manager integration, select the Enable Tivoli Access Manager integration check box.
293
4. Click Last login recording. Specify whether recording of last login information is enabled. To enable recording of last login information, select the Enable recording of last login information check box. 5. Click TCD logging. To configure Tivoli Common Directory (TCD) logging, specify the following information: v Select the Enable Tivoli Common Directory logging check box to enable Tivoli Common Directory logging. v Specify a directory to use as the Tivoli Common Directory in the Log directory field. If a Tivoli Common Directory has already been configured on this machine, this value will not be used. The configured Tivoli Common Directory will be used instead. 6. Click Auditing. Specify whether auditing is enabled. To enable auditing, select the Enable auditing check box. 7. Click Timeouts. Specify the client idle timeout and key lifetime: v Enter the length of time, in seconds, after which a client is considered idle. This only applies if the client is not actively requesting updates from the Session Management Server. v Enter the number of days, calculated from the generation of a session signing key, after which the Session Management Server will automatically generate a new session signing key. 8. Click Summary. Review the configuration options you have selected. When you are ready to configure, click Finish. This step completes the setup of a Tivoli Access Manager session management server system. After configuration of the session management server, you must configure the Access Manager WebSEAL, or Access Manager Plug-in for Web Servers (or both) to use the session management server for managing sessions. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21. See the IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide for detailed configuration information.
294
Chapter 17. Setting up the session management command line

This chapter provides information about installing and configuring a Tivoli Access Manager session management command line system. To configure the session management command line system, use the pdsmsclicfg utility. If you wish to administer the session management server using the pdadmin utility, run the pdsmsclicfg command from the system hosting the authorization server. The pdsmsclicfg utility writes to the host authorization server configuration file, ivacld.conf You can set up a session management command line system using one of the following installation methods: v Installing using the installation wizard on page 296 v Installing using native utilities on page 298
Before you install and configure the Tivoli Access Manager session management command line interface, you must perform the following preinstallation tasks (as required). v During Tivoli Access Manager configuration on Linux operating systems, scripts may fail to run, stating that /bin/ksh was not found. On certain versions of SUSE Linux Enterprise Server, Yast-based installation does not install the Korn shell at /bin/ksh. Install the pdksh rpm that matches the hardware on which you are installing Tivoli Access Manager. The appropriate rpm can be found on either the SUSE Linux Enterprise Server installation media, or downloaded from the SUSE Linux Enterprise Server or Novell support web sites. v The configuration requires the name and port number of the Web server that is used to access the WebSphere Application Server that hosts the session management server. v Determine whether you want to enable Secure Sockets Layer (SSL) for session management command line interface communications. You can enable SSL between the session management server and the Tivoli Access Manager authorization server so that all pdadmin command communications are secure. v If you plan to use the Tivoli Access Manager sec_master user (or other users and groups defined in the secAuthority=Default suffix) to administer SMS using the session management command line, then you must unconfigure the base DN in the LDAP user registry used by WebSphere Application Server. Information on modifying the base DN for the WebSphere Application Server user registry can be found in the WebSphere Application Server information center at: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp Specifically, the Configuring Lightweight Directory Access Protocol user registries topic:
295
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/ com.ibm.websphere.base.doc/info/aes/ae/tsec_ldap.html

The install_amsmscli installation wizard simplifies the setup of a Tivoli Access Manager session management command line system by installing and configuring the following components in the appropriate order: v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server client base and 32-bit (depending on the registry used) v Tivoli Security Utilities v Tivoli Access Manager Access Manager License v Tivoli Access Manager Access Manager Runtime (this package is installed only if Tivoli Access Manager integration is selected). v Tivoli Access Manager Access Manager Authorization Server (this package is installed only if Tivoli Access Manager integration is selected). v Tivoli Access Manager Access Manager Session Management Command Line Note: The wizard detects if a component is installed and does not attempt to reinstall it. Attention: v If you are installing on a Red Hat Enterprise Linux 5 operating system and Security-Enhanced Linux (SELinux) is enabled, you must disable it before installing using the installation wizard. Once you have completed installation and configuration, you can re-enable SELinux and continue to use it. If you do not want to disable SELinux, install using native utilities. v If your system hangs after issuing the wizard command or if a Java error message occurs after issuing the wizard command, ensure that Java is correctly installed. To install and configure a session management command line system using the install_amsmscli wizard, follow these steps: 1. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 2. Perform the preinstallation tasks as listed in Preinstallation requirements on page 295. 3. Ensure that the registry server and policy server are up and running (in normal mode). 4. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager is installed and can be located using the PATH environment variable before running the installation wizard. For instructions, see page 318. 5. To view status and messages in a language other than English, which is the default, install a language support package before running an installation wizard. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 6. On Windows systems only, exit from all running programs.
296
7. Run the install_amsmscli program, located in the root directory on the IBM Tivoli Access Manager Shared Session Management CD for the supported AIX, HP-UX, Solaris, Linux on x86, Linux on System z, and Windows 2003 platforms. The install_amsmscli program is not available on HP-UX on Integrity or Solaris on x86_64. The installation wizard begins by prompting you for configuration information as described on page 420. Supply the required configuration information, or accept default values. 8. Compare the disk space that is required to install all of the Tivoli Access Manager session management command line system components and prerequisites with the disk space that is available. If there is sufficient space, continue the installation. After reviewing the summary and accepting your installation selections and configuration choices, the components are installed and configured without further intervention. This step completes the setup of a Tivoli Access Manager session management command line system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
297

The following sections enable you to install Tivoli Access Manager software using a familiar platform-specific utility. Unlike automated installation wizards, you must manually install each component and any prerequisite software in the appropriate order. Complete the instructions that apply to your operating system: v v v v v AIX on page 298 HP-UX on page 299 Linux on page 301 Solaris on page 302 Windows on page 304
Note: The Tivoli Access Manager Runtime (PD.RTE) and Tivoli Access Manager Authorization Server (PD.Acld) packages are required only if you want to administer using the pdadmin utility.
AIX: Installing the session management command line

The following procedure uses installp to install software packages and the pdsmsclicfg utility to configure them. To install the Tivoli Access Manager session management command line system, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Perform the preinstallation tasks as listed in Preinstallation requirements on page 295. 4. Ensure that the registry server and policy server are up and running (in normal mode). 5. Insert the IBM Tivoli Access Manager Shared Session Management for AIX CD and mount it. 6. Install IBM Global Security Kit (GSKit), if not already installed.. For instructions, see page 312. 7. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed.. For instructions, see page 327. 8. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 323. 9. Install the following Tivoli Access Manager packages:
where cd_mount_point is the directory where the CD is mounted and packages are as follows: PD.lic PD.RTE PD.Acld Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Authorization Server package.
298
Specifies the Access Manager Session Management Command Line package. 10. Unmount the CD. 11. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 12. Configure the Access Manager Runtime and Access Manager Authorization Server packages as follows: a. Start the configuration utility: PD.SMSCLI
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure, one at a time. When a message is displayed that indicates the package has been successfully configured, press Enter to configure another package or select the x option twice to close the configuration utility. 13. Configure the Access Manager Session Management Command Line package by running the pdsmsclicfg utility:
pdsmsclicfg action config
For assistance with additional configuration options, see pdsmsclicfg on page 586. 14. You must manually start the authorization server that is hosting the session management command line after configuration. This step completes the setup of a Tivoli Access Manager session management command line system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
HP-UX: Installing the session management command line

The following procedure uses swinstall to install software packages and the pdsmsclicfg utility to configure them. To install Tivoli Access Manager on HP-UX, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Perform the preinstallation tasks as listed in Preinstallation requirements on page 295. 4. Ensure that the registry server and policy server are up and running (in normal mode). 5. Insert the IBM Tivoli Access Manager Shared Session Management for HP-UX CD. 6. Mount the CD using the HP-UX mount command. For example, enter the following:
299
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. 7. Install IBM Global Security Kit (GSKit), if not already installed.. For instructions, see page 312. 8. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed.. For instructions, see page 328. 9. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 323. 10. Install the Tivoli Access Manager packages:
where /cd-rom/hp is the directory and packages are as follows: PDlic PDRTE PDAcld PDSMSCLI Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Authorization Server package.
Specifies the Access Manager Session Management Command Line package. 11. Unmount the CD as follows:
umount /cd-rom
where /cd-rom is the mount point. 12. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 13. Configure the Access Manager Runtime and Access Manager Authorization Server packages as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. Select the menu number of the package that you want to configure. When a message is displayed that indicates the package has been successfully configured, select the x option twice to close the configuration utility. 14. Configure the Access Manager Session Management Command Line package by running the pdsmsclicfg utility:
For assistance with additional configuration options, see pdsmsclicfg on page 586. 15. You must manually start the authorization server that is hosting the session management command line after configuration. This step completes the setup of a Tivoli Access Manager session management command line system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
300
Linux: Installing the session management command line

The following procedure uses rpm to install software packages and the pdsmsclicfg utility to configure them. To install Tivoli Access Manager packages on Linux, follow these steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files which are located in the /CD_mount_point/linux_s390 directory on the IBM Tivoli Access Manager Shared Session Management for Linux on System z CD. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Perform the preinstallation tasks as listed in Preinstallation requirements on page 295. 4. Ensure that the registry server and policy server are up and running (in normal mode). 5. Insert the IBM Tivoli Access Manager Shared Session Management for Linux on x86 CD or the IBM Tivoli Access Manager Shared Session Management for Linux on System z CD and mount it. 6. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86 or linux_s390 for System z. 7. Install IBM Global Security Kit (GSKit), if not already installed.. For instructions, see page 313. 8. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed.. For instructions, see page 329. 9. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 324. 10. Install the Tivoli Access Manager packages:
rpm -ihv packages

Linux on x86 Access Manager License package Access Manager Runtime package Access Manager Authorization Server package Access Manager Session Management Command Line package PDlic-PD-6.1.1.0-0.i386.rpm PDRTE-PD-6.1.1.0-0.i386.rpm PDAcld-PD-6.1.1.0-0.i386.rpm PDSMS-CLI-6.1.1.0-0.i386.rpm Linux on System z PDlic-PD-6.1.1.0-0.s390.rpm PDRTE-PD-6.1.1.0-0.s390.rpm PDAcld-PD-6.1.1.0-0.s390.rpm PDSMS-CLI-6.1.1.0-0.s390.rpm
11. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37.
301
12. Configure the Access Manager Runtime and Access Manager Authorization Server packages as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. Select the menu number of the package that you want to configure. When a message is displayed that indicates the package has been successfully configured, select the x option twice to close the configuration utility. 13. Configure the Access Manager Session Management Command Line package by running the pdsmsclicfg utility:
For assistance with additional configuration options, see pdsmsclicfg on page 586. 14. Manually start the authorization server that is hosting the session management command line after configuration. When a message is displayed that indicates the package has been successfully configured, select the x option twice to close the configuration utility. This step completes the setup of a Tivoli Access Manager session management command line system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Solaris: Installing the session management command line

The following procedure uses pkgadd to install software packages and the pdsmsclicfg utility to configure them. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. To install a Tivoli Access Manager package, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Perform the preinstallation tasks as listed in Preinstallation requirements on page 295. 4. Ensure that the registry server and policy server are up and running (in normal mode). 5. Install the Tivoli Access Manager authorization server and the Tivoli Security Utilities. 6. Insert the IBM Tivoli Access Manager Shared Session Management for Solaris CD. 7. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 314.
302
8. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 330. 9. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 325. 10. Install the Tivoli Access Manager packages:
where: /cdrom/cdrom0/solaris Specifies the location of the package. /cdrom/cdrom0/solaris/pddefault Specifies the location of the installation administration script. and where packages are as follows: PDlic PDRTE PDAcld PDSMSCLI Specifies the Access Manager License package. Specifies the Access Manager Runtime package. Specifies the Access Manager Authorization Server package.
Specifies the Access Manager Session Management Command Line package. When the installation process is complete for each package, the following message is displayed:
11. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 12. Configure the Access Manager Runtime and Access Manager Authorization Server packages as follows: a. Start the configuration utility:
pdconfig
The Tivoli Access Manager Setup Menu is displayed. b. Type menu number 1 for Configure Package. The Tivoli Access Manager Configuration Menu is displayed. c. Select the menu number of the package that you want to configure. 13. Configure the Access Manager Session Management Command Line package by running the pdsmsclicfg utility:
For assistance with additional configuration options, see pdsmsclicfg on page 586. 14. You must manually start the authorization server that is hosting the session management command line after configuration. When a message is displayed that indicates the package has been successfully configured, press Enter to configure another package or select the x option twice to close the configuration utility. This step completes the setup of a Tivoli Access Manager session management command line system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
303
Windows: Installing the session management command line

The following procedure uses the setup.exe program to install software packages and the pdsmsclicfg utility to configure them. To install a Tivoli Access Manager session management command line system on Windows 2003, follow these steps: 1. Log on as a user with administrator privileges. 2. Ensure that all necessary operating system patches are installed. Also, ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations. See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Perform the preinstallation tasks as listed in Preinstallation requirements on page 295. 4. Ensure that the registry server and policy server are up and running (in normal mode). 5. Insert the IBM Tivoli Access Manager Shared Session Management for Windows CD. 6. Install IBM Global Security Kit (GSKit), if not already installed. For instructions, see page 315. 7. If using an LDAP-based user registry, install the IBM Tivoli Directory Server client, if not already installed. For instructions, see page 331. 8. Install the IBM Tivoli Security Utilities, if not already installed. For instructions, see page 326. 9. Install the Tivoli Access Manager packages. To do so, run the setup.exe program located in the following directory:
Follow the online instructions and select to install the following packages: v Access Manager License v Access Manager Runtime v Access Manager Authorization Server v Access Manager Session Management Command Line 10. To view status and messages in a language other than English, which is the default, install your language support package before configuring packages. For instructions, see Installing language support packages for Tivoli Access Manager on page 37. 11. Configure the Access Manager Runtime and Access Manager Authorization Server packages as follows: a. Start the configuration utility:
pdconfig
The Access Manager Configuration window is displayed. b. Select the Access Manager Runtime and Access Manager Authorization Serverpackages and click Configure. You are prompted for configuration options. 12. Configure the Access Manager Session Management Command Line package by running the pdsmsclicfg utility:
For assistance with additional configuration options, see pdsmsclicfg on page 586.
304
This step completes the setup of a Tivoli Access Manager session management command line system. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
305
306
Part 5. Reference information

Chapter 18. Installing prerequisite products . . Installing the IBM Global Security Kit (GSKit) . . AIX: Installing the IBM Global Security Kit (GSKit) . . . . . . . . . . . . . . HP-UX: Installing the IBM Global Security Kit (GSKit) . . . . . . . . . . . . . . Linux: Installing the IBM Global Security Kit (GSKit) . . . . . . . . . . . . . . Solaris: Installing the IBM Global Security Kit (GSKit) . . . . . . . . . . . . . . Windows: Installing the IBM Global Security Kit (GSKit) . . . . . . . . . . . . . . Setting up the GSKit iKeyman utility . . . . Installing IBM Java Runtime . . . . . . . . AIX: Installing IBM Java Runtime . . . . . HP-UX: Installing IBM Java Runtime . . . . Linux: Installing IBM Java Runtime . . . . . Solaris: Installing IBM Java Runtime. . . . . Windows: Installing IBM Java Runtime . . . . Installing the IBM Tivoli Security Utilities . . . . AIX: Installing the IBM Tivoli Security Utilities HP-UX: Installing IBM Tivoli Security Utilities Linux: Installing IBM Tivoli Security Utilities Solaris: Installing IBM Tivoli Security Utilities Windows: Installing IBM Tivoli Security Utilities Installing the IBM Tivoli Directory Server client AIX: Installing the IBM Tivoli Directory Server client . . . . . . . . . . . . . . . HP-UX: Installing the IBM Tivoli Directory Server client . . . . . . . . . . . . . Linux: Installing the IBM Tivoli Directory Server client . . . . . . . . . . . . . . . Solaris: Installing the IBM Tivoli Directory Server client . . . . . . . . . . . . . Windows: Installing the IBM Tivoli Directory Server client . . . . . . . . . . . . . Installing IBM WebSphere Application Server . . AIX: Installing WebSphere Application Server HP-UX: Installing WebSphere Application Server . . . . . . . . . . . . . . . Linux: Installing WebSphere Application Server Solaris: Installing WebSphere Application Server Windows: Installing WebSphere Application Server . . . . . . . . . . . . . . . Installing the Web Administration Tool . . . . . AIX: Installing the Web Administration Tool . . HP-UX: Installing the Web Administration Tool Linux: Installing the Web Administration Tool Solaris: Installing the Web Administration Tool Windows: Installing the Web Administration Tool . . . . . . . . . . . . . . . Installing the Web Administration Tool into WebSphere . . . . . . . . . . . . . 311 311 312 312 313 314 315 315 318 318 319 320 321 321 323 323 323 324 325 326 327 327 328 329 330 331 333 333 334 335 336 336 338 338 339 340 341 342 344 Unconfiguring IBM Tivoli Directory Server . Unconfiguring the database . . . . . Using the Configuration Tool . . . . Using the command line . . . . . Deleting a directory server instance . . . Using the Instance Administration Tool. Using the command line . . . . . Removing packages . . . . . . . . . AIX: Removing packages . . . . . . Removing DB2 . . . . . . . . . Removing WebSphere Application Server Removing IBM HTTP Server . . . . Removing plug-in for Web servers . . HP-UX: Removing packages . . . . . Removing DB2 . . . . . . . . . Removing WebSphere Application Server Removing IBM HTTP Server . . . . Removing plug-in for Web servers . . Linux: Removing packages . . . . . . Removing DB2 . . . . . . . . . Removing WebSphere Application Server Removing IBM HTTP Server . . . . Removing plug-in for Web servers . . Solaris: Removing packages . . . . . Removing DB2 . . . . . . . . . Removing WebSphere Application Server Removing IBM HTTP Server . . . . Removing plug-in for Web servers . . Windows: Removing packages . . . . Removing WebSphere Application Server Removing IBM HTTP Server . . . . Removing plug-in for Web servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 349 349 349 350 350 350 351 351 352 352 352 353 353 354 354 354 354 354 355 356 356 356 356 357 357 357 357 357 358 358 358 359 360 360 361 369
Chapter 20. Installation wizard scenarios . . . Installing the IBM Tivoli Directory Server (install_ldap_server wizard) . . . . . . . . Pre-installation requirements . . . . . . . install_ldap_server scenario . . . . . . . Installing the policy server (install_ammgr wizard) Chapter 21. Installation wizard options . Access Manager Runtime (LDAP) . . . Access Manager Runtime (Active Directory) Access Manager Runtime (Domino) . . . install_amacld . . . . . . . . . . install_amadk . . . . . . . . . . install_amjrte . . . . . . . . . . install_ammgr . . . . . . . . . . install_amproxy . . . . . . . . . install_amrte . . . . . . . . . . install_amsms . . . . . . . . . . install_amsmscli . . . . . . . . . install_amweb . . . . . . . . . . install_amwebadk . . . . . . . . . install_amwebars . . . . . . . . . install_amwpi . . . . . . . . . .
Chapter 19. Uninstalling components . . . . 347 Unconfiguring Tivoli Access Manager components 348
. . . 377 . . . 378 . . . 382 . . . 389 . . . 392 . . . 396 . . . 397 . . . 399 . . . 404 . . . 408 . . . 409 . . . 420 . . . 424 . . . 430 . . . 434 . . . 435
307
install_amwpm . . install_ldap_server
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. 439 . 442 447 448 451 455 457 458 459 461 462 464 465 467 468 471
Chapter 22. pdconfig options . . . . . . . Access Manager Runtime LDAP . . . . . . Access Manager Runtime Active Directory . . Access Manager Runtime Domino . . . . . Access Manager Attribute Retrieval Service . . . Access Manager Authorization Server . . . . . Access Manager Runtime for Java . . . . . . Access Manager Plug-in for Edge Server . . . . Access Manager Plug-in for Web Servers on UNIX Access Manager Plug-in for Web Servers on Windows . . . . . . . . . . . . . . . Access Manager Policy Server . . . . . . . . Access Manager Policy Proxy Server . . . . . Access Manager Web Portal Manager . . . . . Access Manager WebSEAL . . . . . . . . .
Chapter 23. Enabling Secure Sockets Layer (SSL) security. . . . . . . . . . . . . 473 Configuring IBM Tivoli Directory Server for SSL access . . . . . . . . . . . . . . . . 474 Creating the key database file . . . . . . . 474 Requesting or creating a personal certificate . . 475 Using certificates from a Certificate Authority (CA) . . . . . . . . . . . . . . . 475 Requesting a personal certificate from a Certificate Authority (CA) . . . . . . . 476 Receiving a personal certificate from a Certificate Authority (CA) . . . . . . . 476 Adding the signer certificate for the Certificate Authority (CA) . . . . . . . 477 Using self-signed certificates . . . . . . . 477 Creating a self-signed certificate . . . . . 478 Extracting the certificate . . . . . . . . 478 Configuring a key database file for Tivoli Directory Server . . . . . . . . . . . 479 Using the Web Administration Tool: . . . . 479 Using the command line: . . . . . . . 479 Enabling SSL for Tivoli Directory Server . . . 480 Using the Web Administration Tool: . . . . 480 Using the command line: . . . . . . . 481 Verifying that SSL has been enabled on the server . . . . . . . . . . . . . . . 482 Enabling FIPS . . . . . . . . . . . . 483 Configuring IBM z/OS LDAP servers for SSL access . . . . . . . . . . . . . . . . 485 Setting the security options . . . . . . . . 485 Creating a key database file . . . . . . . 486 Configuring Microsoft Active Directory for SSL access . . . . . . . . . . . . . . . . 488 Verifying that SSL is enabled on the Active Directory server . . . . . . . . . . . 488 Exporting the certificate from the Active Directory server . . . . . . . . . . . 488 Importing the certificate on the LDAP client system . . . . . . . . . . . . . . 489 Testing SSL access . . . . . . . . . . . 489 Configuring Active Directory Application Mode (ADAM) for SSL access . . . . . . . . . . 491
Setting up Active Directory Application Mode (ADAM) to use SSL (Example) . . . . . . Configuring Access Manager SSL for use with Active Directory Application Mode (ADAM) . . . . . . . . . . . . . Disabling SSL for Active Directory Application Mode (ADAM) . . . . . . Configuring Novell eDirectory server for SSL access . . . . . . . . . . . . . . . . Creating an organizational certificate authority object . . . . . . . . . . . . . . . Creating a self-signed certificate . . . . . . Creating a server certificate for the LDAP server Enabling SSL . . . . . . . . . . . . Adding the self-signed CA certificate to the IBM key file . . . . . . . . . . . . . . Configuring Sun Java System Directory Server for SSL access . . . . . . . . . . . . . . Obtaining a server certificate . . . . . . . Installing the server certificate . . . . . . . Enabling SSL access . . . . . . . . . . Configuring the Tivoli Directory Server client for SSL access . . . . . . . . . . . . . . Creating the key database file . . . . . . . Adding the signer certificate to the client key database file . . . . . . . . . . . . . Configuring the client for SSL communications Testing SSL access from the client . . . . . Configuring SSL for server and client authentication . . . . . . . . . . . . . Creating the key database file on the client . . Requesting or creating a personal certificate on the client . . . . . . . . . . . . . . Using certificates from a Certificate Authority (CA) on the client . . . . . . . . . . . Requesting a personal certificate from a Certificate Authority (CA) . . . . . . . Receiving a personal certificate from a Certificate Authority (CA) . . . . . . . Adding the signer certificate for the Certificate Authority (CA) . . . . . . . Using self-signed certificates on the client . . . Creating a self-signed certificate . . . . . Extracting the certificate . . . . . . . . Adding the signer certificate to the server key database file . . . . . . . . . . . . . Testing SSL access when using server and client authentication . . . . . . . . . . . . Chapter 24. AIX: Setting up a standby policy server . . . . . . . . . . . . . . Preinstallation requirements . . . . . . . HACMP environment scenario . . . . . . Example HACMP configuration . . . . . Part 1: Overall HACMP cluster topology . Part 2: Cluster resources within HACMP topology . . . . . . . . . . . . Part 3: Application server definition within HACMP topology . . . . . . . . . Creating a standby policy server environment .
491
493 494 495 495 496 496 497 497 498 498 499 499 501 501 502 503 503 504 504 505 505 505 506 506 507 507 508 508 509
. . . . .
511 512 513 515 516
. 518 . 522 . 523
308
Script: Setting UIDs for both the primary and standby systems . . . . . . . . . . Script: Linking files and directories on the primary system. . . . . . . . . . . Example: Verifying the primary server directories, soft links, and permissions . . . Script: Linking from the AIX system files to the shared directory on the standby system . . Example: Verifying standby server directories, soft links and permissions . . . . . . .
. 527 . 529 . 530 . 532 . 533
Prerequisite systems . . . Base systems . . . . . Web security systems . . . Session management systems Response file template . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
607 607 608 609 609
Chapter 28. Using software package definition files . . . . . . . . . . . . . . . . 621 Chapter 29. Tivoli Access Manager registry adapter for WebSphere federated repositories . Tivoli Access Manager registry adapter installation Configuring the Tivoli Access Manager registry adapter . . . . . . . . . . . . . . . Configuring a Tivoli Access Manager adapter Configuring the adapter as a WebSphere custom registry . . . . . . . . . . . . . . Troubleshooting WebSphere login failure . . . . Tivoli Access Manager registry adapter limitations
Chapter 25. Setting up a Tivoli Directory Server proxy environment . . . . . . . . . . . Configuring the Tivoli Directory Server proxy . . Type of configuration information . . . . . Synchronizing server instances . . . . . . Creating server instances . . . . . . . . Global administration group . . . . . . . Creating a user entry for membership in the global administrators group . . . . . . Adding user entries to the global administration group . . . . . . . . . Configuring the Tivoli Directory Server proxy server . . . . . . . . . . . . . . . Adding back-end servers to the proxy server Partitioning to back-end servers . . . . . . Synchronizing global policies . . . . . . Dividing the data into partitions . . . . . Assigning partition index values to the servers . . . . . . . . . . . . . Instantiating the suffix object . . . . . . Setting up a proxy environment for Tivoli Access Manager . . . . . . . . . . . Adding the Tivoli Access Manager suffix to the proxy . . . . . . . . . . . . . Configuring Tivoli Access Manager to use the proxy . . . . . . . . . . . . . . . . Redirecting the policy server to the proxy . . . Setting access controls for the proxy . . . . . Unconfiguring Tivoli Access Manager from the proxy . . . . . . . . . . . . . . . .
629 629 629 629 631 632 633
535 535 536 537 537 537 538 538 538 539 540 540 541 541 541 542 542 543 544 545 545
Chapter 26. Tivoli Access Manager utilities . . 547 amauditcfg . . . . . . . . . . . . . . 548 amwebcfg . . . . . . . . . . . . . . 552 amwpmcfg . . . . . . . . . . . . . . 557 bassslcfg . . . . . . . . . . . . . . . 561 install_component . . . . . . . . . . . . 564 ivrgy_tool . . . . . . . . . . . . . . 569 mgrsslcfg . . . . . . . . . . . . . . . 572 pdbackup . . . . . . . . . . . . . . 574 pdconfig . . . . . . . . . . . . . . . 578 pdjrtecfg . . . . . . . . . . . . . . . 579 pdproxycfg . . . . . . . . . . . . . . 583 pdsmsclicfg . . . . . . . . . . . . . . 586 pdversion . . . . . . . . . . . . . . 589 pdwpicfg . . . . . . . . . . . . . . . 591 smscfg. . . . . . . . . . . . . . . . 594 svrsslcfg . . . . . . . . . . . . . . . 601 Chapter 27. Using response files . . . . . . 607
Part 5. Reference information
309
310
Chapter 18. Installing prerequisite products

Refer to the following information as instructed during installation of Tivoli Access Manager base and Web security systems in Part 2, Base system installation, on page 51 and Part 3, Web security system installation, on page 217 of this guide. This chapter contains the following sections: v Installing the IBM Global Security Kit (GSKit) v Installing IBM Java Runtime on page 318 v Installing the IBM Tivoli Security Utilities on page 323 v Installing the IBM Tivoli Directory Server client on page 327 v Installing IBM WebSphere Application Server on page 333 v Installing the Web Administration Tool on page 338 Note: During Tivoli Access Manager configuration on Linux operating systems, scripts may fail to run, stating that /bin/ksh was not found. On certain versions of SUSE Linux Enterprise Server, Yast-based installation does not install the Korn shell at /bin/ksh. Install the pdksh rpm that matches the hardware on which you are installing Tivoli Access Manager. The appropriate rpm can be found on either the SUSE Linux Enterprise Server installation media, or downloaded from the SUSE Linux Enterprise Server or Novell support web sites.
Installing the IBM Global Security Kit (GSKit)

IBM Global Security Kit (GSKit) provides Secure Sockets Layer (SSL) data encryption between Tivoli Access Manager systems and supported registry servers. The GSKit package also installs the iKeyman key management utility (gsk7ikm), which you can use to create key databases, public-private key pairs, and certificate requests. Complete the instructions that apply to your operating system: v AIX on page 312 v HP-UX on page 312 v Linux on page 313 v Solaris on page 314 v Windows on page 315 For instructions on how to set up the GSKit iKeyman utility, see Setting up the GSKit iKeyman utility on page 315. You can insert any of the IBM Tivoli Access Manager CDs where GSKit is required as a prerequisite for the installation wizard. Refer to information in Components and prerequisites provided with Tivoli Access Manager systems on page 15 for a list of components that require GSKit as a prerequisite.
311
AIX: Installing the IBM Global Security Kit (GSKit)

To install IBM Global Security Kit (GSKit) on AIX, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert an IBM Tivoli Access Manager CD that provides GSKit for AIX and mount it. 4. Enter the following command to install the 32-bit runtime package:
installp -acgYXd cd_mount_point/usr/sys/inst.images gskta.rte
where cd_mount_point is the directory where the CD is mounted. Note: If you are installing GSKit on an IBM Tivoli Directory Server system, both the 32-bit and 64-bit runtime packages are required. To install the 64-bit package, enter the following command:
installp -acgYXd cd_mount_point/usr/sys/inst.images gsksa.rte
After you install GSKit, no configuration is necessary. To set up the key management utility installed with GSKit, see instructions in Setting up the GSKit iKeyman utility on page 315. For more information, see Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 473 or the IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide.
HP-UX: Installing the IBM Global Security Kit (GSKit)

To install IBM Global Security Kit (GSKit) on HP-UX or HP-UX on Integrity, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert an IBM Tivoli Access Manager CD that provides GSKit for HP-UX or HP-UX on Integrity. 4. Mount the CD using the HP-UX mount command. For example, enter the following:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. 5. Install IBM Global Security Kit (GSKit) for your platform. Attention: If you are installing GSKit for a IBM Tivoli Directory Server system, both the 32-bit and 64-bit runtime packages are required. Only the 64-bit package is provided on the IBM Tivoli Access Manager for e-businessIBM Tivoli Access Manager Directory Server (2 of 2) CD. v HP-UX 32-bit
v HP-UX 64-bit
swinstall -s /cd_mount_point/hp gsk7bas64
312
and


and

umount /cd-rom
where /cd-rom is the mount point. After you install GSKit, no configuration is necessary. To set up the key management utility installed with GSKit, see instructions in Setting up the GSKit iKeyman utility on page 315. For more information, see Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 473 or the IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide.
Linux: Installing the IBM Global Security Kit (GSKit)

To install IBM Global Security Kit (GSKit) on Linux, follow these steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files from a IBM Tivoli Access Manager CD for Linux on System z. The rpm files are located in the /CD_mount_point/linux_s390 directory of the CD. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert an IBM Tivoli Access Manager CD that provides GSKit for Linux on x86, Linux on System z, or Linux on POWER and mount it. 4. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86, linux_ppc for POWER, or linux_s390 for System z. 5. Install the IBM Global Security Kit (GSKit) package for your platform. Attention: If you are installing GSKit for a IBM Tivoli Directory Server system, both the 32-bit and 64-bit runtime packages are required. Only the 64-bit package is provided on the IBM Tivoli Access Manager for e-businessIBM Tivoli Access Manager Directory Server (2 of 2) CD. v Linux on x86
rpm -ihv gsk7bas-7.0-4.11.i386.rpm

rpm -ihv gsk7bas-7.0-4.11.s390.rpm

rpm -ihv gsk7bas64-7.0-4.11.s390x.rpm
and
313
rpm -ihv gsk7bas-7.0-4.11.s390.rpm

rpm -ihv gsk7bas-7.0-4.11.ppc32.rpm

rpm -ihv gsk7bas64-7.0-4.11.ppc64.rpm
and
rpm -ihv gsk7bas-7.0-4.11.ppc32.rpm
To set up the key management utility installed with GSKit, see instructions in Setting up the GSKit iKeyman utility on page 315. For more information, see Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 473 or the IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide.
Solaris: Installing the IBM Global Security Kit (GSKit)

The following procedure uses pkgadd to install the software package. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that the package is added in the current zone only. To install IBM Global Security Kit (GSKit) on Solaris, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert an IBM Tivoli Access Manager CD that provides GSKit for Solaris or Solaris x86_64 and mount it. 4. Install IBM Global Security Kit (GSKit). Specify the package for your environment: Attention: If you are installing GSKit for a IBM Tivoli Directory Server system, both the 32-bit and 64-bit runtime packages are required. Only the 64-bit package is provided on the IBM Tivoli Access Manager for e-businessIBM Tivoli Access Manager Directory Server (2 of 2) CD. v Solaris 32-bit
v Solaris 64-bit
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault gsk7bas64
and

v Solaris on x86_64-bit
314
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault gsk7bas64
and
To set up the key management utility installed with GSKit, see instructions in Setting up the GSKit iKeyman utility. For more information, see Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 473 or the IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide.
Windows: Installing the IBM Global Security Kit (GSKit)

To install IBM Global Security Kit (GSKit) on Windows 2003 Windows XP, or Windows Vista follow these steps: 1. Log on as any member of the Administrators group. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert an IBM Tivoli Access Manager CD that provides GSKit for Windows, and change to the \windows\GSKit directory on the drive where the CD is located. 4. To install the IBM Global Security Kit (GSKit), enter the following command:
setup PolicyDirector
5. Click Next. The Choose Destination Location window is displayed. 6. Accept the default destination directory or click Browse to select a path to another directory on the local system. If the directory does not exist, you must confirm that you want the directory created or specify a directory that exists. 7. Click Next to install GSKit. The Setup Complete window is displayed. 8. Click Finish to exit the installation program. After you install GSKit, no configuration is necessary. To set up the key management utility installed with GSKit, see instructions in Setting up the GSKit iKeyman utility. For more information, see Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 473 or the IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide.
Setting up the GSKit iKeyman utility

The creation and handling of X.509 certificates and keys is performed using the IBM Global Security Kit (GSKit) key management utility, gsk7ikm, also referred to as iKeyman. To enhance the security of your system when running the iKeyman utility, set up GSKit to support Certificate Management System (CMS) key database files before you run the iKeyman utility. Note: Do not configure iKeyman for any JRE that also is configured with Access Manager Runtime for Java. Configuration of iKeyman requires changes to
315
the java.security file associated with the Java Runtime Environment (JRE). These changes are not compatible with the requirements of the Access Manager Runtime for Java. To enable support for CMS key database files in GSKit, follow these steps: 1. Ensure that the following components are installed on your system: v IBM Global Security Kit (GSKit) (For instructions, see Installing the IBM Global Security Kit (GSKit) on page 311.) v Java Runtime Environment (JRE) (For instructions, see Installing IBM Java Runtime on page 318.) 2. Ensure that the JAVA_HOME environment variable points to the directory where the IBM Java Runtime is installed. iKeyman uses the JAVA_HOME environment variable to find the location of the JRE that it is required to use when run. This variable must be set to point to the JRE installation directory. The example below demonstrates how this may be done. Replace the example location below with the install location of your JRE. Windows example:
set JAVA_HOME=c:\Program Files\IBM\Java15
UNIX Example:
export JAVA_HOME=/usr/opt/IBMJava2-15
3. Download the unrestricted JCE policy files for your operating system. Note that Tivoli Access Manager Runtime for Java 1.5 uses 1.4 policy files. Download the unrestricted JCE policy files from the specified Web site: AIX, Linux, and Windows systems https://www14.software.ibm.com/webapp/iwm/web/ preLogin.do?source=jcesdk After authenticating, download the Unrestricted JCE Policy files for SDK 1.4.2 Version 1.4.2 archive file. HP-UX and Solaris systems http://java.sun.com/j2se/1.4.2/download.html#docs In the Other Downloads section, download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 1.4.2 archive file. 4. Remove gskikm.jar from $JAVA_HOME/jre/lib/ext 5. Copy local_policy.jar to $JAVA_HOME/jre/lib/security 6. Copy US_export_policy.jar to $JAVA_HOME/jre/lib/security 7. Using a text editor, open $JAVA_HOME/jre/lib/security/java.security and add the IBM CMS security provider and the IBM JCE FIPS security provider. Note: The order in which you specify the security providers is important. The security providers are processed in numeric order. The first security provider that supports the encryption method being requested is used. On HP-UX and Solaris systems, the first provider must always be sun.security.provider.Sun.
316
AIX, Linux, and Windows systems (with FIPS)

security.provider.2=com.ibm.spi.IBMCMSProvider security.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.4=com.ibm.crypto.provider.IBMJCE security.provider.5=com.ibm.security.jgss.IBMJGSSProvider security.provider.6=com.ibm.security.cert.IBMCertPath security.provider.7=com.ibm.security.sasl.IBMSASL
AIX, Linux, and Windows systems (without FIPS)

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2 security.provider.2=com.ibm.spi.IBMCMSProvider security.provider.3=com.ibm.crypto.provider.IBMJCE security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath security.provider.6=com.ibm.security.sasl.IBMSASL
HP-UX and Solaris systems (with FIPS)

security.provider.1=com.ibm.security.jgss.IBMJGSSProvider security.provider.2=sun.security.provider.Sun security.provider.3=com.ibm.spi.IBMCMSProvider security.provider.4=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.5=com.ibm.crypto.provider.IBMJCE security.provider.6=com.ibm.jsse2.IBMJSSEProvider2 security.provider.7=com.ibm.security.cert.IBMCertPath security.provider.8=com.ibm.security.sasl.IBMSASL security.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS
HP-UX and Solaris systems (without FIPS)

security.provider.1=com.ibm.security.jgss.IBMJGSSProvider security.provider.2=sun.security.provider.Sun security.provider.3=com.ibm.spi.IBMCMSProvider security.provider.4=com.ibm.crypto.provider.IBMJCE security.provider.5=com.ibm.jsse2.IBMJSSEProvider2 security.provider.6=com.ibm.security.cert.IBMCertPath security.provider.7=com.ibm.security.sasl.IBMSASL
8. Read the file located at $JAVA_HOME/README_FIRST. To use the iKeyman utility to enable SSL with a supported registry server, see Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 473. General information on the iKeyman utility can be found in the IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide.
317
Installing IBM Java Runtime

IBM Java Runtime 1.5.0 SR5 is required when using the Tivoli Access Manager installation wizards. IBM Java Runtime is provided with Tivoli Access Manager. Access Manager Runtime for Java only supports the IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager or the JRE provided with IBM WebSphere Application Server. Complete the instructions that apply to your operating system: v AIX on page 318 v HP-UX on page 319 v Linux on page 320 v Solaris on page 321 v Windows on page 321 You can insert any of the IBM Tivoli Access Manager CDs where IBM Java Runtime is required as a prerequisite for the installation wizard.
AIX: Installing IBM Java Runtime

To install IBM Java Runtime 1.5.0 SR5 on AIX, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert an IBM Tivoli Access Manager CD that provides IBM Java Runtime for AIX and mount it. 4. Install the following packages:
where cd_mount_point is the directory where the CD is mounted and packages are as follows: Java5.ext Java5.samples Specifies the IBM Java Runtime sample files package. Java5.sdk Java5.source Specifies the IBM Java Runtime software development kit (SDK) extensions package. Specifies the IBM Java Runtime source files package. Specifies the IBM Java Runtime extensions package.
5. Do one of the following tasks: v Set the PATH environment variable. For example:
export PATH=/usr/java5/jre/bin:$PATH
Note: To display whether IBM Java Runtime 1.5.0 SR5 is already in the path, use the java version command. v Set the JAVA_HOME environment variable to the path where you installed IBM Java Runtime. For example, using ksh, enter the following to define JAVA_HOME:
export JAVA_HOME=/usr/java5/jre
318
After you install IBM Java Runtime, no configuration is necessary.
HP-UX: Installing IBM Java Runtime

To install IBM Java Runtime 1.5.0 SR5 on HP-UX or HP-UX on Integrity, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert an IBM Tivoli Access Manager CD that provides IBM Java Runtime for HP-UX or HP-UX on Integrity. 4. Mount the CD using the HP-UX mount command. For example, enter the following:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. Note that specific patches are required before the HP-UX mount command can be used. See the IBM Tivoli Access Manager for e-business: Release Notes. 5. Do one of the following: Note: The installation wizards expect the JRE to be installed in the default location. v If you plan to use the default installation path, set the PATH environment variable.
export PATH=java_path:$PATH
For example:
Note: To display whether IBM Java Runtime 1.5.0 SR5 is already in the path, use the java version command. v If you plan to use an installation path other than the default, set the JAVA_HOME environment variable to the path where you plan to install IBM Java Runtime. For example, enter the following to define JAVA_HOME:
export JAVA_HOME=/usr/mypath/java15/jre
6. Install the IBM Java Runtime package: a. Enter: mkdir -p /usr/java15 b. Enter: cd /usr/java15 c. Enter: v HP-UX:
zcat cd_mount_point/hp/hpia32devhybrid-20070511a-sdk.tar.Z | tar -xvf -
v HP-UX on Integrity:
zcat cd_mount_point/hp_ia64/hpuxdevhybrid-20070511a-sdk.tar.Z | tar -xvf -
where /cd_mount_point is the CD mount point and /cd_mount_point/hp is the directory. Note that you must have both the zcat file uncompress and the tar file extraction utilities. Also, the directories for both utilities must be defined by your PATH environment variable.
319
Note: The installation wizards expect the JRE to be installed in the default location. 7. Unmount the CD as follows:
umount /cd-rom
where /cd-rom is the mount point. 8. For the IBM Tivoli Directory Server, create the symbolic link for IBM Java Runtime. Create the link after the IBM Tivoli Directory Server is installed
ln -s /usr/java15 /opt/IBM/ldap/V6.1/java
Linux: Installing IBM Java Runtime

To install IBM Java Runtime 1.5.0 SR5 on Linux, follow these steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files from a IBM Tivoli Access Manager CD for Linux on System z. The rpm files are located in the /CD_mount_point/linux_s390 directory of the CD. Note to Red Hat Enterprise Linux 5 users: To install IBM Java Runtime successfully on a Red Hat Enterprise Linux 5 system, the following compatibility libraries must also be installed:
compat-libstdc++-33-3.2.3 libXp-1.0.0-8.i386.rpm
1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert an IBM Tivoli Access Manager CD that provides IBM Java Runtime for Linux on x86, Linux on System z, or Linux on POWER and mount it. 4. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86, linux_s390 for System z, or linux_ppc, for POWER. 5. Install the IBM Java Runtime package: Note: Tivoli Access Manager is a 32-bit application and requires a 32-bit Java Runtime package.
rpm -ihv package
where package is as follows:

Linux on x86 (32-bit and 64-bit) Linux on POWER Linux on System z ibm-java2-i386-sdk-5.0-5.0.i386.rpm (32-bit)
ibm-java2-ppc-sdk-5.0-5.0.ppc.rpm ibm-java2-s390-sdk-5.0-5.0.s390.rpm
6. Set the PATH environment variable:

export PATH=jre_path:$PATH
For example, to ensure that the IBM Java Runtime is accessible through the PATH system variable, enter the following command:
320
export PATH=/opt/ibm/java2-s390-50/jre/bin:$PATH
Solaris: Installing IBM Java Runtime

To install IBM Java Runtime 1.5.0 SR5 on Solaris, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert an IBM Tivoli Access Manager CD that provides IBM Java Runtime for Solaris or Solaris x86_64 and mount it. 4. Do one of the following: Note: The installation wizards expect the JRE to be installed in the default location, which is used in the following example. v Set the PATH environment variable.
export PATH=java_path:$PATH
For example:
Note: To display whether IBM Java Runtime 1.5.0 SR5 is already in the path, use the java version command. v If you plan to use an installation path other than the default, set the JAVA_HOME environment variable to the path where you plan to install IBM Java Runtime. For example, enter the following to define JAVA_HOME:
export JAVA_HOME=/usr/mypath/java15/jre
5. Install the IBM Java Runtime package: a. Enter: mkdir -p /usr/java15 b. Enter: cd /usr/java15 c. Untar the package into the /usr/java15 directory: v For Solaris
zcat cd_mount_point/solaris/ soldevhybrid-20070511-sdk.tar.Z | tar -xvf -
v For Solaris on x86_64

zcat cd_mount_point/solaris_x86/ solx64hybrid-20070511-sdk.tar.Z | tar -xvf -
where /cd_mount_point is the CD mount point and /cd_mount_point/solaris or /cd_mount_point/solaris_x86 is the directory. Note that you must have both the zcat file uncompress and the tar file extraction utilities. The utilities may need to be fully qualified if they cannot be found in the PATH environment variable. After you install IBM Java Runtime, no configuration is necessary.
Windows: Installing IBM Java Runtime

To install IBM Java Runtime 1.5.0 SR5 on Windows, follow these steps: 1. Log on as any member of the Administrators group.
321
2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert an IBM Tivoli Access Manager CD that provides the IBM Java Runtime for Windows. 4. Enter the following command:
cd_drive\windows\JDK\ibm-java2-sdk-50-win-i386.exe
Complete online instructions. When installation has completed, click Finish. 5. Set the PATH environment variable:
set PATH=install_dir;%PATH%
For example, enter the following if you installed using the default installation directory for IBM Java Runtime 1.5.0 SR5:
set PATH=C:\Program Files\IBM\Java50\jre\bin;%PATH%
6. If you plan to use the IBM Global Security Kit (GSKit) iKeyman utility, do the following steps: a. Set the JAVA_HOME environment variable to the full path to your Java installation. For example:
set JAVA_HOME=c:\Program Files\IBM\Java50\jre
b. Add the GSKit bin and lib directories to the PATH variable. For example:
set PATH="C:\Program Files\ibm\gsk7\bin";%PATH% set PATH="C:\Program Files\ibm\gsk7\lib";%PATH%
322
Installing the IBM Tivoli Security Utilities

The IBM Tivoli Security Utilities provides common utilities that are required by Access Manager Runtime. Complete the instructions that apply to your operating system: v AIX on page 323 v HP-UX on page 323 v Linux on page 324 v Solaris on page 325 v Windows on page 326 You can insert any of the IBM Tivoli Access Manager CDs where Access Manager Runtime is required. Refer to information in Components and prerequisites provided with Tivoli Access Manager systems on page 15 for a list of components that require Access Manager Runtime as a prerequisite.
AIX: Installing the IBM Tivoli Security Utilities

To install Tivoli Security Utilities on AIX, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert the IBM Tivoli Access Manager Base CD, the IBM Tivoli Access Manager Shared Session Management CD, or the IBM Tivoli Access Manager Web Security CD that provides Tivoli Security Utilities for AIX and mount it. 4. Enter the following command to install the package:
installp -acgYXd cd_mount_point/usr/sys/inst.images TivSec.Utl
where cd_mount_point is the directory where the CD is mounted. Attention: You must install the Tivoli Security Utilities package first before installing the Access Manager Runtime package. 5. Unmount the CD. After you install Tivoli Security Utilities, no configuration is necessary. This step completes the setup of the Tivoli Security Utilities. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
HP-UX: Installing IBM Tivoli Security Utilities

To install Tivoli Security Utilities on HP-UX or HP-UX on Integrity, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database.
323
3. Insert a CD that provides Tivoli Security Utilities for HP-UX or HP-UX on Integrity: v IBM Tivoli Access Manager Base v IBM Tivoli Access Manager Shared Session Management v IBM Tivoli Access Manager Web Security 4. Mount the CD using the HP-UX mount command. For example, enter the following:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. 5. Enter the following command: v For HP-UX
swinstall -s /cd-rom/hp TivSecUtl
where /cd-rom/hp is the directory. v For HP-UX on Integrity

swinstall -s /cd-rom/hp_ia64 TivSecUtl
where /cd-rom/hp_ia64 is the directory. Attention: You must install the Tivoli Security Utilities package first before installing the Access Manager Runtime package. 6. Unmount the CD as follows:
umount /cd-rom
where /cd-rom is the mount point. After you install Tivoli Security Utilities, no configuration is necessary. This step completes the setup of the Tivoli Security Utilities. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Linux: Installing IBM Tivoli Security Utilities

To install Tivoli Security Utilities on Linux, follow these steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files from a IBM Tivoli Access Manager CD for Linux on System z. The rpm files are located in the /CD_mount_point/linux_s390 directory of the CD. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert the IBM Tivoli Access Manager Base CD, the IBM Tivoli Access Manager Shared Session Management CD, or the IBM Tivoli Access Manager Web Security CD that provides Tivoli Security Utilities for Linux on x86, Linux on System z, or Linux on POWER and mount it. 4. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86, linux_s390 for System z, or linux_ppc, for POWER. 5. Do one of the following installations:
324
v To install Tivoli Security Utilities in the default location:

rpm -ih package
where package is as follows: Linux on x86: TivSecUtl-TivSec-6.1.1.0-0.i386.rpm Linux on System z: TivSecUtl-TivSec-6.1.1.0-0.s390.rpm Linux on POWER: TivSecUtl-TivSec-6.1.1.0-0.ppc.rpm Attention: You must install the Tivoli Security Utilities package first before installing the Access Manager Runtime package. 6. Unmount the CD. After you install Tivoli Security Utilities, no configuration is necessary. This step completes the setup of the Tivoli Security Utilities. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Solaris: Installing IBM Tivoli Security Utilities

The following procedure uses pkgadd to install the software package. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures the packages is added in the current zone only. To install Tivoli Security Utilities on Solaris, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert the IBM Tivoli Access Manager Base CD, the IBM Tivoli Access Manager Shared Session Management CD, or the IBM Tivoli Access Manager Web Security CD that provides Tivoli Security Utilities for Solaris or Solaris on x86_64 and mount it. 4. To install the Tivoli Security Utilities package, enter: v For Solaris:
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault TivSecUtl
where /cdrom/cdrom0/solaris specifies the location of the package and /cdrom/cdrom0/solaris/pddefault specifies the location of the installation administration script. v For Solaris on x86_64:
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault TivSecUtl
where /cdrom/cdrom0/solaris_x86 specifies the location of the package and /cdrom/cdrom0/solaris_x86/pddefault specifies the location of the installation administration script. Attention: You must install the Tivoli Security Utilities package first before installing the Access Manager Runtime package.
325
After you install Tivoli Security Utilities, no configuration is necessary. This step completes the setup of the Tivoli Security Utilities. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
Windows: Installing IBM Tivoli Security Utilities

To install Tivoli Security Utilities on Windows 2003, Windows XP, or Windows Vista follow these steps: 1. Log on as any member of the Administrators group. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert an IBM Tivoli Access Manager CD that provides Tivoli Security Utilities for Windows and change to the following directory on the drive where the CD is located:
\windows\TivSecUtl\Disk Images\Disk1
4. Run the setup.exe program from this directory. 5. Click Next. The Choose Destination Location window is displayed. 6. Accept the default destination directory or click Browse to select a path to another directory on the local system. If the directory does not exist, you must confirm that you want the directory created or specify a directory that exists. 7. Click Next to install Tivoli Security Utilities. The Setup Complete window is displayed. 8. Select whether to restart the computer now or later and click Finish. After you install Tivoli Security Utilities, no configuration is necessary. This step completes the setup of the Tivoli Security Utilities. To set up another Tivoli Access Manager system, follow the steps in the Installation process on page 21.
326
Installing the IBM Tivoli Directory Server client

The IBM Tivoli Directory Server client is included with IBM Tivoli Directory Server on the IBM Tivoli Access Manager Directory Server CDs for supported platforms. You must explicitly install the Tivoli Directory Server client on each system that runs Tivoli Access Manager, with the following exceptions: v The Tivoli Access Manager system is a supported Windows system that is joined to an Active Directory domain. v You are using Lotus Domino as your registry server. v You are setting up an Access Manager Runtime for Java, Access Manager Web Portal Manager, Access Manager Attribute Retrieval Service, or Access Manager session management server. Note: When an installation wizard is used to install a Tivoli Access Manager component which has the IBM Tivoli Directory Server client as a prerequisite, the client is automatically installed on that system. Complete the instructions that apply to your operating system: v AIX on page 327 v v v v HP-UX on page 328 Linux on page 329 Solaris on page 330 Windows on page 331
You can insert any of the IBM Tivoli Access Manager CDs where IBM Tivoli Directory Server client is required as a prerequisite for the installation wizard. Refer to information in Components and prerequisites provided with Tivoli Access Manager systems on page 15 for a list of components that require IBM Tivoli Directory Server client as a prerequisite. Note: You can have multiple versions of the IBM Tivoli Directory Server client on the same system.
AIX: Installing the IBM Tivoli Directory Server client

To install the IBM Tivoli Directory Server client on AIX, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert an IBM Tivoli Access Manager CD that provides the IBM Tivoli Directory Server client for AIX and mount it. 4. Install the client packages of IBM Tivoli Directory Server. At a command prompt, enter:
Table 21 on page 328 lists the packages required for each client type. Install the packages for your client in the order specified. To install multiple packages, separate the package names by a blank space.
327
Table 21. Client packages for AIX Client 32-bit client (no SSL) Packages 1. 2. 1. 2. 3. 64-bit client (no SSL) 1. 2. 1. 2. 3. Java client idsldap.cltbase61 idsldap.clt32bit61 idsldap.cltbase61 idsldap.clt32bit61 Package descriptions 1. Base Client runtime and Base Client SDK 2. 32-bit client (no SSL) 32-bit client (SSL) 1. Base Client runtime and Base Client SDK
idsldap.clt_max_crypto32bit61 2. 32-bit client (no SSL) 3. 32-bit client (SSL) idsldap.cltbase61 idsldap.clt64bit61 idsldap.cltbase61 idsldap.clt64bit61 1. Base Client runtime and Base Client SDK 2. 64-bit client (no SSL)
64-bit client (SSL)
1. Base Client runtime and Base Client SDK
idsldap.clt_max_crypto64bit61 2. 64-bit client (no SSL) 3. 64-bit client (SSL) Java client required for X11 support
idsldap.cltjava61
Note: Full server versions require an X11 environment. For a client with no X11 requirements, install the 32-bit or 64-bit client as you would if you required an X11 environment. 5. Unmount the CD as follows:
umount /cd-rom
where /cd-rom is the mount point. After you install the IBM Tivoli Directory Server client, no configuration is necessary.
HP-UX: Installing the IBM Tivoli Directory Server client

To install the IBM Tivoli Directory Server client on HP-UX or HP-UX on Integrity, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert the IBM Tivoli Access Manager CD that provides the IBM Tivoli Directory Server client for HP-UX or HP-UX on Integrity. 4. Mount the CD using the HP-UX mount command. For example, enter the following:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. 5. Install the client packages of IBM Tivoli Directory Server. v HP-UX
328
Table 22 lists the packages required for each client type. Install the packages for your client in the order specified. Notes: a. The package names are the same for both HP-UX PA-RISC and HP-UX on Integrity. b. If you plan to install either the IBM Tivoli Directory Server full server or proxy server, you must install the 64-bit client package.
Table 22. Client packages for HP-UX Client type 32-bit client Packages 1. idsldap-cltbase61 2. idsldap-clt32bit61 3. idsldap-cltjava61 64-bit client 1. idsldap-cltbase61 2. idsldap-clt64bit61 3. idsldap-cltjava61 Package descriptions 1. Base Client 2. 32-bit Client 3. Java Client 1. Base Client 2. 64-bit Client 3. Java Client

umount /cd-rom
where /cd-rom is the mount point. After you install the IBM Tivoli Directory Server client, no configuration is necessary.
Linux: Installing the IBM Tivoli Directory Server client

To install the IBM Tivoli Directory Server client for Linux on x86, Linux on POWER, or Linux on System z, follow these steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files from a IBM Tivoli Access Manager CD for Linux on System z. The rpm files are located in the /CD_mount_point/linux_s390 directory of the CD. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert an IBM Tivoli Access Manager CD that provides the IBM Tivoli Directory Server client for Linux on x86, Linux on System z, or Linux on POWER and mount it. 4. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86, linux_ppc for POWER, or linux_s390 for System z. 5. Install the client packages of IBM Tivoli Directory Server for your deployment.
rpm -ihv packages
Table 23 on page 330 lists the packages required for each client type. Install the packages for your client in the order specified.
329
Note: On System z and POWER, when you intend to also install the server, install the 64-bit client because the server is 64-bit. Tivoli Access Manager for e-business requires the 32-bit client. Both the 32-bit and 64-bit clients can be installed on the same system.
Table 23. Client packages for Linux platforms Client type Linux on x86, 32-bit client Packages 1. idsldap-cltbase61-6.1.0-6.i386.rpm 2. idsldap-clt32bit61-6.1.0-6.i386.rpm 3. idsldap-cltjava61-6.1.0-6.i386.rpm Linux on System z, 32-bit client 1. idsldap-cltbase61-6.1.0-6.s390.rpm 2. idsldap-clt32bit61-6.1.0-6.s390.rpm 3. Linux on System z, 64-bit client idsldap-cltjava616.1.0-6.s390.rpm Package descriptions 1. Base client 2. 32-bit client 3. Java client 1. Base client 2. 32-bit client 3. Java client 1. Base client 2. 64-bit client 3. Java client 1. Base client 2. 32-bit client 3. Java client 1. Base client 2. 64-bit client 3. Java client
1. idsldap-cltbase61-6.1.0-6.s390.rpm 2. idsldap-clt64bit61-6.1.0-6.s390x.rpm 3. idsldap-cltjava61-6.1.0-6.s390.rpm
Linux on POWER, 32-bit client
1. idsldap-cltbase61-6.1.0-6.ppc.rpm 2. idsldap-clt32bit61-6.1.0-6.ppc.rpm 3. idsldap-cltjava61-6.1.0-6.ppc.rpm
Linux on POWER, 64-bit client
1. idsldap-cltbase61-6.1.0-6.ppc.rpm 2. idsldap-clt64bit61-6.1.0-6.ppc.rpm 3. idsldap-cltjava61-6.1.0-6.ppc.rpm
6. Unmount the CD. After you install the IBM Tivoli Directory Server client, no configuration is necessary.
Solaris: Installing the IBM Tivoli Directory Server client

The following procedure uses pkgadd to install software packages and the pdconfig utility to configure them. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. To install the IBM Tivoli Directory Server client on Solaris, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert a Tivoli Access Manager CD that provides the IBM Tivoli Directory Server client for Solaris or Solaris on x86_64 and mount it. 4. Install the client packages of IBM Tivoli Directory Server for your platform: v Solaris
330
v Solaris on x86_64
Table 24 lists the packages required for each client type. Install the packages for your client in the order specified. Notes: a. The package names are the same for both Solaris platforms. b. During installation, you are asked if you want to use /opt as the base directory. If space permits, accept /opt as the base directory. c. When you install client or server packages, the system might prompt you with the following query: This package contains scripts which will be executed with super-user permission during the process of installing the package. Continue with installation? Type y to continue. These scripts create the Tivoli Directory Server user ID.
Table 24. Client packages for Solaris Client type 32-bit client Packages 1. IDSlbc61 2. IDSl32c61 3. IDSljc61 64-bit client 1. IDSlbc61 2. IDSl64c61 3. IDSljc61 Package descriptions 1. Base client 2. 32-bit client 3. Java client 1. Base client 2. 32-bit client 3. Java client
5. During installation, you are asked if you want to use /opt as the base directory. If space permits, use /opt as the base installation directory. To accept /opt as the base directory, press Enter. After you install the IBM Tivoli Directory Server client, no configuration is necessary.
Windows: Installing the IBM Tivoli Directory Server client

To install the IBM Tivoli Directory Server client on Windows 2003, Windows Vista or Windows XP, follow these steps: 1. Log on as any member of the Administrators group. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert a IBM Tivoli Access Manager CD that provides the IBM Tivoli Directory Server client for Windows, and change to the \windows\tds directory on the drive where the CD is located. 4. To install the IBM Tivoli Directory Server client, run the install_tds.bat file. The Choose Setup Language window is displayed. 5. Select the language that you want to use for the installation and click OK. 6. The Welcome window is displayed. Click Next to continue.
331
7. Read the license agreement. Select to accept the terms and then click Next. A window is displayed that informs you of the packages that are already installed and if any action is required. If necessary, satisfy any requirements and click Next. 8. Select to install the C Client 6.1 feature and then click Next. 9. Review the configuration options that you selected. If you want to change any of your selections, click Back. Click Next to begin the installation. After you install the IBM Tivoli Directory Server client, no configuration is necessary.
332
Installing IBM WebSphere Application Server

IBM WebSphere Application Server is included on the IBM Tivoli Access Manager WebSphere Application Server CDs for the supported platforms. WebSphere Application Server enables the support of these interfaces: v The Web Portal Manager interface, which is used to administer Tivoli Access Manager. v The Web Administration Tool, which is used to administer IBM Tivoli Directory Server. v The Access Manager Attribute Retrieval Service. WebSphere Application Server is required on systems on which you plan to set up Web Portal Manager or Web Administration Tool interfaces. Some WebSphere documentation is located on the IBM Tivoli Access Manager WebSphere Application Server CD in the /WAS/docs directory. For additional information about IBM WebSphere Application Server, see: http://www.ibm.com/software/webservers/appserv/infocenter.html Complete the instructions that apply to your operating system: v AIX on page 333 v HP-UX on page 334 v Linux on page 335 v Solaris on page 336 v Windows on page 336
AIX: Installing WebSphere Application Server

To install the IBM WebSphere Application Server on AIX, follow these steps. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert the IBM Tivoli Access Manager WebSphere Application Server for AIX (1 of 2) CD and mount it. 4. Change to the root directory on the drive where the CD is located. 5. Enter the following command:
./WAS/install
Follow the directions provided by the installation wizard to install WebSphere Application Server on the system. 6. Unmount the IBM Tivoli Access Manager WebSphere Application Server for AIX (1 of 2) CD and remove it. 7. Insert the IBM Tivoli Access Manager WebSphere Application Server for AIX (2 of 2) CD and mount it. 8. Change to the root directory on the drive where the CD is located. 9. Enter the following command:
./IHS/install
333
Follow the directions provided by the installation wizard to install IBM HTTP Server on the system. 10. Enter the following command:
./plugin/install
Follow the directions provided by the installation wizard to install the plugin for your Web server on the system. 11. Unmount the CD.
HP-UX: Installing WebSphere Application Server

To install WebSphere Application Server on HP-UX or HP-UX on Integrity, follow these steps. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert the CD for your platform: v IBM Tivoli Access Manager WebSphere Application Server for HP-UX (1 of 2) v IBM Tivoli Access Manager WebSphere Application Server for HP-UX on Integrity (1 of 2) 4. Mount the CD using the HP-UX mount command. For example, enter the following:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. 5. Change to the root directory on the drive where the CD is located. 6. Enter the following command:
./WAS/install
Follow the directions provided by the installation wizard to install WebSphere Application Server on the system. 7. Unmount the IBM Tivoli Access Manager WebSphere Application Server for HP-UX (1 of 2) CD or the IBM Tivoli Access Manager WebSphere Application Server for HP-UX on Integrity (1 of 2) CD as follows and remove it:
umount /cd-rom
where /cd-rom is the mount point. 8. Insert the CD for your platform and mount it: v IBM Tivoli Access Manager WebSphere Application Server for HP-UX (2 of 2) v IBM Tivoli Access Manager WebSphere Application Server for HP-UX on Integrity (2 of 2) 9. Change to the root directory on the drive where the CD is located. 10. Enter the following command:
./IHS/install
./plugin/install
334
Follow the directions provided by the installation wizard to install the plugin for your Web server on the system. 12. Unmount the CD as follows:
umount /cd-rom
where /cd-rom is the mount point.
Linux: Installing WebSphere Application Server

To install the WebSphere Application Server on Linux, follow these steps. Note to Linux on System z users: You must first obtain access to the WebSphere CD images on your Linux system. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert one of the following Linux CDs and mount it: v IBM Tivoli Access Manager WebSphere Application Server for Linux on x86 (1 of 2) v IBM Tivoli Access Manager WebSphere Application Server for Linux on System z (1 of 2) v IBM Tivoli Access Manager WebSphere Application Server for Linux on POWER (1 of 2) 4. Change to the root directory on the drive where the CD is located. 5. Enter the following command:
./WAS/install
Follow the directions provided by the installation wizard to install WebSphere Application Server on the system. 6. Unmount the Linux CD and remove it: 7. Insert one of the following Linux CDs and mount it: v IBM Tivoli Access Manager WebSphere Application Server for Linux on x86 (2 of 2) v IBM Tivoli Access Manager WebSphere Application Server for Linux on System z (2 of 2) v IBM Tivoli Access Manager WebSphere Application Server for Linux on POWER (2 of 2) 8. Change to the root directory on the drive where the CD is located. 9. Enter the following command:
./IHS/install
./plugin/install
335
Solaris: Installing WebSphere Application Server

To install WebSphere Application Server on Solaris or Solaris on x86_64, follow these steps. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Insert the CD for your platform: v IBM Tivoli Access Manager WebSphere Application Server for Solaris (1 of 2) v IBM Tivoli Access Manager WebSphere Application Server for Solaris on x86_64 (1 of 2) 4. Change to the root directory on the drive where the CD is located. 5. Enter the following command:
./WAS/install
Follow the directions provided by the installation wizard to install WebSphere Application Server on the system. 6. Remove the CD. 7. Insert one of the following CDs and mount it: v IBM Tivoli Access Manager WebSphere Application Server for Solaris (2 of 2) v IBM Tivoli Access Manager WebSphere Application Server for Solaris on x86_64 (2 of 2) 8. Change to the root directory on the drive where the CD is located. 9. Enter the following command:
./IHS/install
./plugin/install
Windows: Installing WebSphere Application Server

To install WebSphere Application Server on Windows, follow these steps. 1. Log on as any member of the Administrators group. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that you have closed any running Windows programs. 4. Insert the IBM Tivoli Access Manager WebSphere Application Server for Windows (1 of 2) CD. 5. Change to the root directory on the drive where the CD is located. 6. Enter the following command:
\WAS\install.exe
336
Follow the directions provided by the installation wizard to install WebSphere Application Server on the system. 7. Remove the IBM Tivoli Access Manager WebSphere Application Server for Windows (1 of 2) CD. 8. Insert the IBM Tivoli Access Manager WebSphere Application Server for Windows (2 of 2). 9. Change to the root directory on the drive where the CD is located. 10. Enter the following command:
\IHS\install.exe
\plugin\install.exe
Follow the directions provided by the installation wizard to install the plugin for your Web server on the system. 12. Update WebSphere Application Server to the supported level.
337
Installing the Web Administration Tool

The Web Administration Tool is used to administer IBM Tivoli Directory Servers either locally or remotely. You can install this interface at any time. To install the Web Administration Tool application, follow the procedure for your particular platform. v AIX on page 338 v HP-UX on page 339 v Linux on page 340 v Solaris on page 341 v Windows on page 342 For information about installing the Web Administration Tool into WebSphere, see Installing the Web Administration Tool into WebSphere on page 344. v Note: An application server is required. The IBM WebSphere Application Server is included with Tivoli Access Manager.
AIX: Installing the Web Administration Tool

To install the Web Administration Tool on AIX, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that system requirements for the Web Administration Tool are met. For information, see page 11. 4. Ensure that the following servers are set up in your secure domain: v IBM Tivoli Directory Server or proxy server v IBM WebSphere Application Server For instructions on installing these servers, see Setting up IBM Tivoli Directory Server on page 54 and Installing IBM WebSphere Application Server on page 333. 5. Mount the IBM Tivoli Access Manager Directory Server for AIX (2 of 2) CD. 6. Install and configure the Web Administration Tool package of IBM Tivoli Directory Server. Complete the following steps: a. Install the Web Administration Tool package for your deployment: v Web Administration Tool (No SSL)
installp acgyYXd cd_mount_point/usr/sys/inst.images idsldap.webadmin61
v Web Administration Tool (SSL)

installp acgyYXd cd_mount_point/usr/sys/inst.images idsldap.webadmin_max_crypto61 idsldap.webadmin61
Note: If you install the SSL package, the No SSL package is also required.
338
b. Configure the Web Administration Tool into the application server. See Installing the Web Administration Tool into WebSphere on page 344. 7. Unmount the CD. This step completes the installation of the Web Administration Tool. To start the Web Administration Tool, go to the directory where you installed WebSphere Application Server and issue one of the following commands:
/usr/WebSphere/AppServer/bin/startServer.sh server1
or
To log in to the console, open a Web browser and type the following address:
where localhost specifies the name or IP address of the host system where the Web Administration Tool and WebSphere Application Server are installed. For more information about using the Web Administration Tool, see the IBM Tivoli Directory Server Administration Guide at: http://www.ibm.com/software/tivoli/products/directory-server
HP-UX: Installing the Web Administration Tool

To install the Web Administration Tool on HP-UX or HP-UX on Integrity, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that system requirements for the Web Administration Tool are met. For information, see page 11. 4. Ensure that the following servers are set up in your secure domain: v IBM Tivoli Directory Server or proxy server v IBM WebSphere Application Server For instructions on installing these servers, see Setting up IBM Tivoli Directory Server on page 54 and HP-UX: Installing WebSphere Application Server on page 334. 5. Insert and mount the CD for your platform: v IBM Tivoli Access Manager Directory Server for HP-UX (2 of 2) v IBM Tivoli Access Manager Directory Server for HP-UX on Integrity (2 of 2) 6. Mount the CD using the HP-UX mount command. For example, enter the following:
where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies the CD device, and /cd-rom specifies the mount point. 7. Install and configure the Web Administration Tool package of IBM Tivoli Directory Server. Complete the following steps: a. Install the Web Administration Tool package:
339
v For HP-UX
swinstall -s /cd_mount_point/hp idsldap-webadmin61
v For HP-UX on Integrity

swinstall -s /cd_mount_point/hp_ia64 idsldap-webadmin61
b. Configure the Web Administration Tool into the application server. See Installing the Web Administration Tool into WebSphere on page 344. 8. Unmount the CD as follows:
umount /cd-rom
where /cd-rom is the mount point. This step completes the installation of the Web Administration Tool. To start the Web Administration Tool, go to the directory where you installed WebSphere Application Server and issue one of the following commands:
or
Linux: Installing the Web Administration Tool

To install the Web Administration Tool on Linux, follow these steps. Note to Linux on System z users: You must first obtain access to the Linux rpm files which are located in the /CD_mount_point/linux_s390 directory on the IBM Tivoli Access Manager Directory Server for Linux on System z CD. 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that system requirements for the Web Administration Tool are met. For information, see page 11. 4. Ensure that the following servers are set up in your secure domain: v IBM Tivoli Directory Server or proxy server v IBM WebSphere Application Server For instructions on installing these servers, see Setting up IBM Tivoli Directory Server on page 54 and Installing IBM WebSphere Application Server on page 333. 5. Insert and mount the CD for your platform: v IBM Tivoli Access Manager Directory Server for Linux on x86 (2 of 2)
340
v IBM Tivoli Access Manager Directory Server for Linux on System z (2 of 2) v IBM Tivoli Access Manager Directory Server for Linux on POWER (2 of 2) 6. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the mount point for your CD and distribution specifies linux_i386 for x86, linux_ppc for POWER, or linux_s390 for System z. 7. Install and configure the Web Administration Tool package of IBM Tivoli Directory Server. Complete the following steps: a. Install the Web Administration Tool package for your deployment. v Linux on x86
rpm -ihv idsldap-webadmin61-6.1.0-6.i386.rpm
v Linux on System z
rpm -ihv idsldap-webadmin61-6.1.0-6.s390.rpm
v Linux on POWER
rpm -ihv idsldap-webadmin61-6.1.0-6.ppc.rpm
b. Install an application server such as WebSphere Application Server. See Linux: Installing WebSphere Application Server on page 335. c. Configure the Web Administration Tool into the application server. See Installing the Web Administration Tool into WebSphere on page 344. 8. Unmount the CD. This step completes the installation of the Web Administration Tool. To start the Web Administration Tool, go to the directory where you installed WebSphere Application Server and issue one of the following commands:
or
Solaris: Installing the Web Administration Tool

The following procedure uses pkgadd to install the software package. Attention: If you are installing on Solaris 10, using the -G option with the pkgadd utility is recommended. The -G option ensures that packages are added in the current zone only. To install the Web Administration Tool on Solaris, follow these steps: 1. Log on as root. 2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system
341
requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that system requirements for the Web Administration Tool are met. For information, see page 11. 4. Ensure that the following servers are set up in your secure domain: v IBM Tivoli Directory Server or proxy server v IBM WebSphere Application Server For instructions on installing these servers, see Setting up IBM Tivoli Directory Server on page 54 and Installing IBM WebSphere Application Server on page 333. 5. Insert the CD for your platform: v IBM Tivoli Access Manager Directory Server for Solaris (2 of 2) v IBM Tivoli Access Manager Directory Server for Solaris on x86_64 (2 of 2) 6. Install and configure the Web Administration Tool package of IBM Tivoli Directory Server. Complete the following steps: a. Install the Web Administration Tool package for your deployment. v Solaris
pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault IDSlweb61
v Solaris on x86
pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault IDSlweb61
b. Configure the Web Administration Tool into the application server. See Installing the Web Administration Tool into WebSphere on page 344. 7. Install the Web Administration Tool into your WebSphere Application Server configuration. For instructions, see page 344. This step completes the installation of the Web Administration Tool. To start the Web Administration Tool, go to the directory where you installed WebSphere Application Server and issue one of the following commands:
or
Windows: Installing the Web Administration Tool

To install the Web Administration Tool on Windows, follow these steps: 1. Log on as any member of the Administrators group.
342
2. Ensure that all necessary operating system patches are installed. Also ensure that you have reviewed the most-recent release information, including system requirements, disk space requirements, and known defects and limitations in the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in the support knowledge database. 3. Ensure that system requirements for the Web Administration Tool are met. For information, see page 11. 4. Ensure that the following servers are set up in your secure domain: v IBM Tivoli Directory Server or proxy server v IBM WebSphere Application Server For instructions on installing these servers, see Setting up IBM Tivoli Directory Server on page 54 and Installing IBM WebSphere Application Server on page 333. 5. Insert the IBM Tivoli Access Manager Directory Server for Windows (2 of 3) CD. 6. Change directory to:
7. Double-click the install_tds.bat icon. The language window is displayed. 8. Select the language you want to use during the installation. Click OK. 9. On the Welcome window, click Next. 10. After reading the Software license agreement, select I accept both the IBM and the non-IBM terms. Click Next. 11. If you have any components already installed, they are displayed with their corresponding version levels. Click Next. 12. To install in the default directory, click Next. You can specify a different directory by clicking Browse or typing the directory path you want. The directory will be created if it does not exist. 13. Click Custom and then click Next. 14. A window showing the following components for installation is displayed: v Tivoli Global Security Kit v DB2 V9.1 v Embedded WebSphere Application Server v C Client 6.1 v Java Client 6.1 v Web Administration Tool 6.1 v Proxy Server 6.1 v Server 6.1 Follow online instructions to complete the installation. Ensure that you select Web Administration Tool 6.1 and clear all other installation features. This step completes the installation of the Web Administration Tool. To start the Web Administration Tool, go to the directory where you installed WebSphere Application Server and issue the following command:
C:\Program Files\IBM\WebSphere\AppServer\bin\startServer.bat server1
343
Installing the Web Administration Tool into WebSphere

After you install the Web Administration Tool package, you must install the Web Administration Tool into WebSphere Application Server. To do so, use the following instructions as a guide. For complete information on installing an application into a WebSphere Application Server configuration, see the IBM WebSphere Application Server documentation at: v http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp v http://www.ibm.com/software/webservers/appserv/infocenter.html To install the Web Administration Tool into your WebSphere Application Server configuration, follow these steps: 1. Open the WebSphere Application Server Administrative Console. For example, enter the following from a supported Web browser:
http://hostname:9060/ibm/console
where hostname specifies the name or IP address of the system where the IBM WebSphere Application Server is installed. 2. Login to the console using a valid user ID and, if applicable, password. 3. Click Applications Install New Applications in the console navigation tree. The first of two Preparing for application install pages is shown. 4. On the first Preparing for application install page: a. Specify the full path of the Web Administration Tool application standalone IDSWebApp.war file as follows: 1) On UNIX or Linux systems:
install_dir/idstools/IDSWebApp.war
where install_dir is the installation directory that you specified when installing the Web Administration Tool. For example: /opt/IBM/ldap/V6.1 2) On Windows systems:
install_dir/idstools/IDSWebApp.war
where install_dir is the installation directory that you specified when installing the Web Administration Tool. For example: C:\Program Files\IBM\LDAP\V6.1 b. In the Context Root field, specify the following command:
/IDSWebApp
c. Click Next. 5. Select whether to generate default bindings or accept the defaults, and click Next. Using the default bindings causes any incomplete bindings in the application to be filled in with default values. Existing bindings are not altered. You can customize the default values used in generating default bindings. The Install New Applications pages are displayed.
344
6. (Step 1: Provide options to perform the install) Ensure that the Application Name field contains IDSWebApp_war, accept the default values, and click Next. 7. (Step 2: Map modules to servers) Select IBM Tivoli Directory Server Web Application v2.0 as the Web Module and select Clusters and Servers and click Apply. 8. Click Next. 9. (Step 3: Map virtual hosts for web modules) Select IBM Tivoli Directory Server Web Application v2.0 and click Next. 10. (Step 4: Summary) Review installation options and click Finish. 11. When the Save to Master Configuration page is displayed, click Save to save the changes to your configuration. The application is registered with the administrative configuration. 12. On the Enterprise Applications panel, select IDSWebApp_war and click Start.
345
346

Uninstalling Tivoli Access Manager is a two-part process. You must first unconfigure components and then remove Tivoli Access Manager packages. This chapter provides the following sections: v Unconfiguring Tivoli Access Manager components on page 348 v Unconfiguring IBM Tivoli Directory Server on page 349 v Removing packages on page 351
Attention Do not unconfigure the Access Manager Runtime component unless all Tivoli Access Manager applications installed on the system, such as WebSEAL and other Web server plug-ins, already have been unconfigured. Otherwise, the Tivoli Access Manager application is left in an unusable state. Unconfigure and remove the policy server system last.
347
Unconfiguring Tivoli Access Manager components

Before you remove Tivoli Access Manager packages, you must ensure that the component is unconfigured (if needed). To do so, follow these steps. 1. On UNIX or Linux, log on as root. On Windows, log on as a user with Windows administrator privileges. 2. To start the configuration utility, enter the following command:
pdconfig
Note: On Windows system, you also can select Start Programs Access Manager Configuration. The Access Manager Setup Menu is displayed. 3. Unconfigure components in the following order: a. Access Manager Attribute Retrieval Service b. Access Manager session management command line interface, or Access Manager session management service c. Access Manager Web Portal Manager, Access Manager WebSEAL, Access Manager Plug-in for Edge Server, or Access Manager Plug-in for Web Servers d. Access Manager Authorization Server e. Access Manager Policy Proxy Server, standby Access Manager Policy Server f. Access Manager Policy Server g. Access Manager Runtime and Access Manager Runtime for Java To unconfigure a component on UNIX, type the number of the menu item for the Tivoli Access Manager component. To unconfigure a component on Windows, select a component and then click Unconfigure. Repeat this procedure for each package that you want to unconfigure. Notes: a. If a component is not configured, then you can simply remove it. b. If you are using an LDAP user registry and are unconfiguring a policy server or policy proxy server, you are prompted for the distinguished name (cn=root) and password of the LDAP Administrator. c. When unconfiguring the policy server: v You are warned that configuration and authorization information for all Tivoli Access Manager servers and applications installed in the management domain will be removed. To proceed, enter y. v You are prompted whether you wish to permanently remove domain information from the registry. Enter y to remove all domain information, including user and group information. Enter n to remove domain information but retain user and group information so that the domain can be recreated later if needed. d. If you have either the Access Manager Runtime for Java or Web Portal Manager installed, but not the Access Manager Runtime, use the /opt/PolicyDirector/sbin/pdjrtecfg utility to unconfigure Access Manager Runtime for Java as follows:
/opt/PolicyDirector/sbin/pdjrtecfg -action unconfig -interactive
and use the /opt/PolicyDirector/sbin/amwpmcfg utility to unconfigure Access Manager Web Portal Manager as follows:
/opt/PolicyDirector/sbin/amwpmcfg -action unconfig -interactive
348
Unconfiguring IBM Tivoli Directory Server

Unconfiguring IBM Tivoli Directory Server involves unconfiguring the database from the directory server instance and removing the directory server instance. Back up your directory and any existing schema files before starting this procedure.
Unconfiguring the database

The database associated with a directory server instance can be unconfigured using either the Configuration Tool or the command line.
Using the Configuration Tool

To unconfigure the database associated with a directory server instance using the Configuration Tool: 1. On UNIX and Linux systems, log on as root. On Windows systems, log on with a user ID that is a member of the Administrators group. 2. Start the Configuration Tool by entering the following command:
idsxcfg
3. Click Unconfigure database in the navigation pane. 4. In the Unconfigure Database window, select one of the following: Unconfigure database Removes information about the database from the configuration file for the directory server instance. However, the database and its data are left intact. This makes the database inaccessible to the directory server instance but does not destroy any data in the database. Unconfigure and destroy database Deletes the database and its contents and removes information about the database from the configuration file for the directory server instance. 5. Click Unconfigure. Click Yes to confirm the operation.

Use the idsucfgdb command to unconfigure a database for a directory server instance. By default, idsucfgdb unconfigures the database from the ibmslapd.conf file but does not delete the database. You can optionally specify to delete the database also. Note: On UNIX and Linux systems, log on as root. On Windows systems, log on with a user ID that is a member of the Administrators group. For example: v To unconfigure the database for directory server instance my_instance, enter the command:
idsucfgdb -n -I my_instance
Note: The -n option specifies not to prompt the user for confirmation before unconfiguring v To unconfigure and delete the database for directory server instance my_instance, enter the command:
idsucfgdb r n -I myinstance
349
Notes: 1. The -n option specifies not to prompt the user for confirmation before unconfiguring 2. The -r option specifies deletion of the database See the IBM Tivoli Directory Server Version 6.1 Command Reference for detailed information about the idsucfgdb command.
Deleting a directory server instance

A directory server instance and its associated database instance can be deleted using either the Instance Administration Tool or the command line.
Using the Instance Administration Tool

To delete a directory server instance, and optionally, its associated database instance: 1. On UNIX and Linux systems, log on as root. On Windows systems, log on with a user ID that is a member of the Administrators group. 2. Stop the directory instance, if it is running. 3. Start the Instance Administration Tool, if it is not already running. v On UNIX, Linux, or Windows systems, enter the following command:
idsxinst
v On Windows systems, you also can click Start Programs IBM Tivoli Directory Server 6.1 Instance Administration Tool. 4. In the IBM Tivoli Directory Server Instance Administration Tool window, select the instance to delete and click Delete.... 5. In the Delete directory server instance window, select one of the following options: Delete directory server instance only To remove the directory server instance but leave the database instance intact. Delete directory server instance and destroy associated database instance To remove both the directory server instance and the database instance. 6. Click Delete. Messages are displayed in the Task Messages pane as the operation is performed. 7. Click Close after the operation completes to close the window and return to the main window of the Instance Administration Tool. 8. If you have finished using the Instance Administration Tool, click Close to exit the tool.

Use the idsidrop command to delete a directory server instance. 1. On UNIX and Linux systems, log on as root. On Windows systems, log on with a user ID that is a member of the Administrators group. 2. Stop the directory instance to be removed. 3. Enter the command to delete the instance. Provide the appropriate options for the command. Examples: v To remove the directory server instance but retain the associated database instance,
idsidrop -I <instance_name>
350
v To remove a directory server instance and destroy the associated database instance
idsidrop -I <instance_name> -r
v To unconfigure the associated database instance without removing a directory server instance
idsidrop -I <instance_name> -R
See the IBM Tivoli Directory Server Version 6.1 Command Reference for information about the idsidrop command.
Removing packages
Uninstalling Tivoli Access Manager is a two-part process. You must unconfigure components and then remove them, unless instructed to do otherwise, such as during the upgrade process. v AIX on page 351 v HP-UX on page 353 v Linux on page 354 v Solaris on page 356 v Windows on page 357
AIX: Removing packages

Before removing packages, ensure that you stop all Tivoli Access Manager services and applications. To remove components from an AIX system, follow these steps: 1. Ensure that the components are unconfigured (if necessary). Follow the instructions in Unconfiguring Tivoli Access Manager components on page 348. 2. Enter the following command:
installp -u -g packages
where packages specifies one or more of the following. Note: Use the g option only if you want dependent software for the specified package removed.
AIX Certificate and SSL Base Runtime Acme Toolkit IBM Global Security Kit (GSKit) IBM Tivoli Directory Server Web Administration Tool (No SSL) IBM Tivoli Directory Server Web Administration Tool (SSL) IBM Tivoli Directory Server client base, 32-bit client without SSL, 64-bit client without SSL, 32-bit client with SSL, and 64-bit client with SSL) gsksa.rte gskta.rte idsldap.webadmin61 idsldap.webadmin_max_crypto61 idsldap.cltbase61 idsldap.clt32bit61 idsldap.clt64bit61 idsldap.clt_max_crypto32bit61 idsldap.clt_max_crypto64bit61 idsldap.cltjava61
351
IBM Tivoli Directory Server (64-bit server and 64-bit proxy server without SSL, the 64-bit server and 64-bit proxy server with SSL, and English messages) Access Manager Application Development Kit
idsldap.srv64bit61 idsldap.srvproxy64bit61 idsldap.srv_max_crypto64bit61 idsldap.srv_max_cryptoproxy64bit61 idsldap.msg61.en_US idsldap.ent61 PD.AuthADK
Access Manager Attribute Retrieval Service PDWeb.ARS Access Manager Authorization Server Access Manager License Access Manager Plug-in for IBM HTTP Server Access Manager Plug-in for Sun Java System Web Server Access Manager Plug-in for Web Servers Access Manager Policy Proxy Server Access Manager Policy Server Access Manager Runtime Access Manager Runtime for Java Access Manager Session Management Command Line Access Manager Session Management Server Access Manager Web Portal Manager Access Manager Web Security ADK Access Manager Web Security Runtime Access Manager WebSEAL Tivoli Security Utilities PD.Acld PD.lic PD.WPIIHS PD.WPIiPlanet PD.WPI PD.MgrPrxy PD.Mgr PD.RTE PDJ.rte PD.SMSCLI PD.SMS PD.WPM PDWeb.ADK PDWeb.RTE PDWeb.Web TivSec.Utl
Removing DB2
To remove DB2 from an AIX system: 1. Log in as user with root authority. 2. Change to the following directory: db2_install_dir/install where db2_install_dir is the directory where DB2 is installed. 3. Run the following command:
./db2_deinstall -a
Removing WebSphere Application Server

To remove WebSphere Application Server from an AIX system, run the following command from the command prompt:
/usr/IBM/WebSphere/AppServer/uninstall/uninstall
Removing IBM HTTP Server

To remove IBM HTTP Server from an AIX system, run the following command from the command prompt:
/http_server_Install_path/uninstall/uninstall
352
Removing plug-in for Web servers

To remove plug-in for Web servers from an AIX system, run the following command from the command prompt:
/WebSphere_Install_path/Plugins/uninstall/uninstall
HP-UX: Removing packages

Before removing packages, ensure that you stop all Tivoli Access Manager services and applications. To remove components from an HP-UX or HP-UX on Integrity system, follow these steps: 1. Ensure that the components are unconfigured. Follow the instructions in Unconfiguring Tivoli Access Manager components on page 348. 2. Enter the following command:
swremove packages
where packages specifies one or more of the following component packages:

IBM gsk7 Runtime Kit IBM Global Security Kit (GSKit) HP-UX: gsk7bas HP-UX on Integrity: gsk7bas32 HP-UX and HP-UX on Integrity: gsk7bas64 IBM Tivoli Directory Server Web Administration idsldap-webadmin61 Tool IBM Tivoli Directory Server client (base and 32-bit client or 64-bit client packages) IBM Tivoli Directory Server (64-bit server and 64-bit proxy server packages) Access Manager Application Development Kit Access Manager Attribute Retrieval Service Access Manager Authorization Server Access Manager License Access Manager Policy Proxy Server Access Manager Policy Server Access Manager Runtime Access Manager Runtime for Java Access Manager Session Management Command Line Access Manager Session Management Server Access Manager Web Portal Manager Access Manager Web Security ADK Access Manager Web Security Runtime Access Manager WebSEAL Tivoli Security Utilities idsldap-cltbase61 and idsldap-clt32bit61 or idsldap-clt64bit61 and idsldap-cltjava61 idsldap-svr64bit61 and idsldap-srvproxy64bit61 PDAuthADK PDWebARS (not on HP-UX Integrity) PDAcld PDlic PDMgrPrxy PDMgr PDRTE PDJrte PDSMSCLI (not on HP-UX Integrity) PDSMS (not on HP-UX Integrity) PDWPM PDWebADK PDWebRTE PDWeb TivSecUtl
A prompt is displayed indicating that the pre-removal script is being run. Each file is listed as it is removed.
353
Removing DB2
To remove DB2 from an HP-UX or HP-UX on Integrity system: 1. Log in as user with root authority. 2. Change to the following directory: db2_install_dir/installWhere db2_install_dir is the directory where DB2 is installed. 3. Run the following command:
./db2_deinstall -a

To remove WebSphere Application Server from an HP-UX system, run the following command from the command prompt:
/opt/IBM/WebSphere/AppServer/uninstall/uninstall

To remove IBM HTTP Server from an HP-UX system, run the following command from the command prompt:

To remove plug-in for Web servers from an HP-UX system, run the following command from the command prompt:
Linux: Removing packages

Before removing packages, ensure that you stop all Tivoli Access Manager services and applications. To remove components from a Linux system, follow these steps: 1. Ensure that you have unconfigured components. Follow instructions in Unconfiguring Tivoli Access Manager components on page 348. 2. Enter the following command:
rpm -e packages
where packages specifies one or more of the following component packages:

IBM Global Security Kit (GSKit) (32-bit or 64-bit) IBM Tivoli Directory Server Web Administration Tool IBM Tivoli Directory Server client (base and 32-bit client or 64-bit client packages) IBM Tivoli Directory Server (32-bit server and 32-bit proxy server packages) IBM Tivoli Directory Server (64-bit server and 64-bit proxy server packages) Access Manager Application Development Kit gsk7bas-7.0-4.11 or gsk7bas64-7.0-4.11 idsldap.webadmin61-6.1.0-6 idsldap-cltbase61-6.1.0-6 and idsldap-clt32bit61-6.1.0-6 or idsldap-clt64bit61-6.1.0-6 and idsldap-cltjava61-6.1.0-6 idsldap-srv32bit61-6.1.0-6 and idsldap-srvproxy32bit61-6.1.0-6idsldapsrvbase32bit61-6.1.0-6 idsldap-srv64bit61-6.1.0-6 and idsldap-srvproxy64bit61-6.1.0-6 PDAuthADK-PD-6.1.1.0-0
354
Access Manager Attribute Retrieval Service (Linux on System z and Linux on x86 only) Access Manager Authorization Server Access Manager License Access Manager Plug-in for Apache Web Server (Linux on System z only) Access Manager Plug-in for IBM HTTP Server (Linux on x86 and Linux on System z) Access Manager Plug-in for Web Servers (Linux on System z and Linux on x86) Access Manager Policy Proxy Server Access Manager Policy Server Access Manager Runtime Access Manager Runtime for Java Access Manager Session Management Command Line (Linux on System z only) Access Manager Session Management Server (Linux on System z only) Access Manager Web Portal Manager Access Manager Web Security ADK (Linux on System z and Linux on x86 only) Access Manager Web Security Runtime (Linux on System z and Linux on x86 only) Access Manager WebSEAL (Linux on System z and Linux on x86 only) Tivoli Security Utilities
PDWebARS-PD-6.1.1.0-0
PDAcld-PD-6.1.1.0-0 PDlic-PD-6.1.1.0-0 PDWPI-Apache-6.1.1.0-0
PDWPI-IHS-6.1.1.0-0
PDWPI-PD-6.1.1.0-0
PDMgrPrxy-PD-6.1.1.0-0 PDMgr-PD-6.1.1.0-0 PDRTE-PD-6.1.1.0-0 PDJrte-PD-6.1.1.0-0 PDSMS-CLI-6.1.1.0-0
PDSMS-PD-6.1.1.0-0
PDWPM-PD-6.1.1.0-0 PDWebADK-PD-6.1.1.0-0
PDWebRTE-PD-6.1.1.0-0
PDWeb-PD-6.1.1.0-0
TivSecUtl-TivSec-6.1.1.0-0
Note: Not all of the packages listed are available for each type of Linux (Linux on System z, Linux on x86, or Linux on POWER).
Removing DB2
To remove DB2 from an Linux system: 1. Log in as user with root authority. 2. Change to the following directory: db2_install_dir/install where db2_install_dir is the directory where DB2 is installed. 3. Run the following command:
./db2_deinstall -a
355

To remove WebSphere Application Server from a Linux system, run the following command from the command prompt:

To remove IBM HTTP Server from an Linux system, run the following command from the command prompt:

To remove plug-in for Web servers from an Linux system, run the following command from the command prompt:
Solaris: Removing packages

Before removing packages, ensure that you stop all Tivoli Access Manager services and applications. To remove components from a Solaris or Solaris on x86_64 system, follow these steps: 1. Ensure that the components are unconfigured. To unconfigure components, follow the instructions in Unconfiguring Tivoli Access Manager components on page 348. 2. To remove a package, enter the following command:
pkgrm packages
where packages specifies one of the following component packages:

IBM Global Security Kit (GSKit) IBM Tivoli Directory Server Web Administration Tool IBM Tivoli Directory Server client (base and 32-bit client or 64-bit client packages) IBM Tivoli Directory Server (64-bit server and 64-bit proxy server packages) Access Manager Application Development Kit Access Manager Attribute Retrieval Service Access Manager Authorization Server Access Manager License gsk7bas or gsk7bas64 IDSlweb61 IDSl32c61 or IDSl64c61 and IDSlbc61 and IDSljc61 IDSlbs61 and IDSl64s61
PDAuthADK PDWebARS (not on Solaris on x86_64) PDAcld PDlic
Access Manager Plug-in for Apache Web PDWPIapa (not on Solaris x86_64) Server Access Manager Plug-in for IBM HTTP Server Access Manager plug-in for Sun Java System Web Server PDWPIihs (not on Solaris x86_64) PDWPIipl (not on Solaris x86_64)
Access Manager Plug-in for Web Servers PDWPI (not on Solaris x86_64) Access Manager Policy Proxy Server PDMgrPrxy
356
Access Manager Policy Server Access Manager Runtime Access Manager Runtime for Java Access Manager Session Management Command Line Access Manager Session Management Server Access Manager Web Portal Manager Access Manager Web Security ADK Access Manager Web Security Runtime Access Manager WebSEAL Tivoli Security Utilities
PDMgr PDRTE PDJrte PDSMSCLI (not on Solaris x86_64) PDSMS (not on Solaris x86_64) PDWPM PDWebADK PDWebRTE PDWeb TivSecUtl
3. When prompted to confirm the removal of these components, enter y. A prompt is displayed indicating that the pre-removal script is being run. Each file is listed as it is removed.
Removing DB2
To remove DB2 from a Solaris or Solaris on x86_64 system: 1. Log in as user with root authority. 2. Change to the following directory: db2_install_dir/install where db2_install_dir is the directory where DB2 is installed. 3. Run the following command:
./db2_deinstall -a

To remove WebSphere Application Server from a Solaris system, run the following command from the command prompt:

To remove IBM HTTP Server from an Solaris system, run the following command from the command prompt:

To remove plug-in for Web servers from an Solaris system, run the following command from the command prompt:
Windows: Removing packages

To remove components from a Windows system, follow these steps: 1. Log on as a user with Windows administrator privileges. 2. Before removing packages, ensure that you stop all Tivoli Access Manager services and applications. 3. Select Start Control Panel and then click Add/Remove Programs. 4. Select one of the installed components and then click Remove.
357
You can select to uninstall the following Tivoli Access Manager packages: v IBM Tivoli Directory Server Web Administration Tool v IBM Tivoli Directory Server v IBM DB2 v Access Manager Application Development Kit v v v v v v v v v v v v v Access Access Access Access Access Access Access Access Access Access Access Access Access Manager Attribute Retrieval Service Manager Authorization Server Manager License Manager for Plug-in for Internet Information Services Manager Plug-in for Web Servers Manager Policy Proxy Server Manager Policy Server Manager Manager Manager Manager Manager Manager Session Management Command Line Session Management Server Runtime Runtime for Java Web Portal Manager Web Security ADK
v Access Manager Web Security Runtime v Access Manager WebSEAL v Tivoli Security Utilities 5. Select another component from the list or click OK to exit the program. 6. You cannot uninstall IBM Global Security Kit (GSKit) using the Add/Remove Programs icon similar to the other Tivoli Access Manager components. To remove GSKit from your system, enter the following command:
isuninst -f"c:\Program Files\ibm\gsk7\gsk7bui.isu" PolicyDirector
where c:\Program Files\ibm\gsk7 is the fully-qualified path where the gsk7BUI.isu file is located.

To remove WebSphere Application Server from a Windows system, run the following command from the command prompt:
C:\Program Files\IBM\WebSphere\AppServer\uninstall\uninstall.exe

To remove IBM HTTP Server from an HP-UX system, run the following command from the command prompt:
/http_server_Install_path/uninstall/uninstall.exe

To remove plug-in for Web servers from an Windows system, run the following command from the command prompt:
/WebSphere_Install_path/Plugins/uninstall/uninstall.exe
358
Chapter 20. Installation wizard scenarios

This chapter provides step-by-step instructions with illustrations on how to install and configure the following Tivoli Access Manager systems using installation wizards. v Installing the IBM Tivoli Directory Server (install_ldap_server wizard) on page 360 v Installing the policy server (install_ammgr wizard) on page 369 For descriptions of configuration option prompts, see Chapter 21, Installation wizard options, on page 377.
359
Installing the IBM Tivoli Directory Server (install_ldap_server wizard)

The following scenario uses the install_ldap_server wizard to install and configure IBM Tivoli Directory Server as the Tivoli Access Manager registry. This program installs and configures all necessary software on your system, including prerequisite products, Tivoli Access Manager components, and associated patches. Operating system patches are not installed.
Pre-installation requirements
v The installation wizard enables Secure Socket Layer (SSL) security. You can choose to have the installation wizard automatically generate an SSL key database file named am_key.kdb with a self-signed certificate for you, or use an SSL key database file that you have already created. For information on creating your own key database file and obtaining a certificate from a Certificate Authority (CA), see Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 473. v The install_ldap_server wizard creates a user for you. If you wish to create a user manually, you must perform the following pre-installation tasks (as required) before you install and configure IBM Tivoli Directory Server. On UNIX or Linux platforms, the user must have a home directory and must be the owner of the home directory. Choose a directory where the DB2 database will be located. The installation wizard will prompt for this directory under Directory server database home. - The group ownership of the DB2 database directory should be the DB2 group created when DB2 was installed. On AIX and Solaris, this group is usually named dbsysadm. For Linux on System z, this group is usually named db2iadm1. For example, in the case of a user named ldapdb2, the database directory should be owned by ldapdb2:dbsysadm on AIX and Solaris or by ldapdb2:db2iadm1 for Linux on System z. There might be some groups that do not work correctly as the users primary group when configuring the database. For example, if the users primary group on Linux is users, problems might occur. For best results, use bin as the group. The user root must be a member of the group chosen to own the DB2 database directory. If root is not a member of this group, add root as a member of the group. For best results, the users login shell should be the Korn shell (/usr/bin/ksh). The users password must be set correctly and ready to use. For example, the password cannot be expired or waiting for a first-time validation of any kind. (The best way to verify that the password is correctly set is to telnet to the same computer and successfully log in with that user ID and password.) When configuring the database, it is not necessary, but customary, to specify the home directory of the user ID as the database location. However, if you specify some other location, the users home directory still must have 3 to 4 MB of space available. This space is required because DB2 creates links and adds files into the home directory of the instance owner (that is, the User) even though the database itself is located elsewhere. If you do not have enough space in the home directory, you can either create enough space or specify another directory as the home directory.
360
install_ldap_server scenario
To install and configure IBM Tivoli Directory Server and its prerequisite software, follow these steps: 1. Log on as root or as an administrative user. 2. Insert the IBM Tivoli Access Manager Directory Server (1 of 2) CD for your UNIX or Linux platform or IBM Tivoli Access Manager Directory Server (1 of 3) CD for Windows platforms. 3. Ensure that you have a supported JVM installed and that the path to the JVM is set. Otherwise, you will receive the following message during installation:
A suitable JVM could not be found. Please run the installer again using the option -is:javahome <JAVA HOME DIR>
To install the supported JRE package included with Tivoli Access Manager, see Installing IBM Java Runtime on page 318. 4. To start the installation wizard, change to the root directory of the CD and enter the following:
./install_ldap_server
5. Select the language that you want to use for the installation and click OK.
6. The Welcome screen is displayed. Click Next to continue.
7. Read the license agreement and select the I accept check box if you agree to the terms. Click Next to continue.
8. Do one of the following: v Windows systems: The next panels prompt you to specify installation directories for: IBM Global Security Kit (GSKit): C:\Program Files\IBM\gskta IBM DB2: C:\Program Files\IBM\SQLLIB
361
IBM Tivoli Directory Server: C:\Program Files\IBM\LDAP\V6.1 IBM Tivoli Directory Server client: C:\Program Files\IBM\LDAP\V6.1 Accept the default directories, or click Browse to select another directory. Click Next to continue. v UNIX or Linux systems: Skip to step 9. The installation wizard automatically installs IBM Global Security Kit (GSKit), IBM DB2, and the IBM Tivoli Directory Server in the following directories: IBM Global Security Kit (GSKit) installation directory AIX: /usr/opt/ibm/gsksa and /usr/opt/ibm/gskta HP-UX on Integrity v On 32-bit: /opt/ibm/gsk7_32 v On 64-bit: /opt/ibm/gsk7_64 HP-UX and Solaris: /opt/ibm/gsk7 Linux: /usr/local/ibm/gsk7 IBM DB2 installation directory UNIX and Linux: /opt/IBM/db2/V9.1 IBM Tivoli Directory Server installation directory UNIX: /opt/IBM/ldap/V6.1 Linux /opt/ibm/ldap/V6.1 IBM Tivoli Directory Server client installation directory UNIX: /opt/IBM/ldap/V6.1 Linux /opt/ibm/ldap/V6.1 9. Complete the following fields about DB2 and then click Next to continue.
a. DB2 administrator ID (also used for the instance name) Enter the DB2 administrator ID for the DB2 database owner ID (for example, db2admin for Windows or ldapdb2 for UNIX.
362
v The user ID can be no longer than 8 characters. v The identity that you create will be used for both the DB2 Administrator ID and the DB2 database owner ID. v The user ID that you specify will own the database instance where the DB2 database will exist. v On Windows platforms, the user must be a member of the Administrators group and must be in the same domain as the Administrator ID. b. DB2 administrator password Enter the DB2 administrator password for the DB2 database owner ID. c. On UNIX and Linux systems only: Group Select a group to own the instance, such as bin. d. Select the Create the DB2 administrator if it does not already exist check box. You can choose to automatically create the DB2 administrator account if it does not already exist. Otherwise, you must exit the installation wizard to create the account. Note: On Windows systems, if the specified user does not exist, then the user is automatically created regardless of whether the check box is selected or not. e. Directory server database home Enter a directory where the DB2 database will be located. The default database home for Windows is the root directory; for example, C: The default location for AIX, Linux on x86, Linux on System z, Linux on POWER, HP-UX or HP-UX on Integrity is /home/ldapdb2 and the default location for Solaris and Solaris on x86_64 is /export/home/ldapdb2 Note: Be sure that you have at least 80 MB of free hard disk space in the location that you specify. Also, make sure that additional disk space is available to accommodate growth as new entries are added to the directory. f. DB2 database name Enter the name of the DB2 database. The database name can be anything you choose. Or use the default DB2 database amdb. g. Encryption seed Enter the encryption seed that will be used to create the key stash files for the IBM Tivoli Directory Server instance. The encryption seed can contain printable ISO-8859-1 ASCII characters only, with values in the range of 33 to 126, such as a-z, A-Z, and 0-9. The seed must be a minimum of 12 and a maximum of 1016 characters in length. For example: 0123456789012 10. Complete the following fields about the IBM Tivoli Directory Server and then click Next to continue.
363
a. Administrator ID Type a valid IBM Tivoli Directory Server distinguished name (DN) or accept the default DN (cn=root). This DN is used by the LDAP administrator who has full access to all data in the directory. Note: DNs are not case-sensitive. If you are unfamiliar with X.500 format, or if for any other reason you do not want to define a new DN, accept the default DN. b. Administrator password Create a password for the IBM Tivoli Directory Server administrator ID. Note that passwords are case-sensitive. c. Password confirmation Type the administrator password again for confirmation. d. User-defined suffix Type a suffix to maintain user and group data. For example: o=ibm,c=us e. Local host name Type the fully qualified name or IP address of the host system on which IBM Tivoli Directory Server will be located. For example: dana.tivoli.com 11. Secure Sockets Layer (SSL) security is always enabled when using the installation wizard. You can choose to have the installation wizard create an SSL key database file with a self-signed certificate, or you can specify the location and name of an existing SSL key database file to use. The default keyfile name is am_key.kdb.
364
Complete the following fields: Non-SSL port Type the port number on which the LDAP server listens for requests other than SSL requests. The default value is 389. SSL port Type the port number on which the LDAP server listens for SSL requests. The default value is 636. SSL key file with full path Type the fully qualified path where the existing SSL key database file is located. The default value is: Windows C:\Program Files\IBM\LDAP\V6.1\lib\am_key.kdb UNIX or Linux /opt/ibm/ldap/V6.1/lib/am_key.kdb SSL key file password Type the password that is associated with the specified SSL key file. The client key file password is set when the key file is first generated. Password confirmation Type the SSL key file password again to confirm it. Certificate label Type the label for the SSL client certificate. This label is valid only when SSL is being used and when the registry server has been configured to require client authentication. Use a certificate label to
365
distinguish between multiple certificates within the SSL key file or when using a certificate other than the default certificate in the key file (for example: PDLDAP). Otherwise, leave this field blank. Note: This label is not required during configuration of the policy server or the authorization server. This value is required only if the server is configured to perform both server and client authentication during SSL establishment or if you want to use a certificate from a certificate authority (CA) in your key file. Typically, the IBM Tivoli Directory Server requires only server-side certificates that were specified during the generation of the client .kdb file. Create SSL key file Select the check box to create an SSL key file. The installation wizard uses IBM Global Security Kit (GSKit) to generate the certificate and the SSL key file. Enable Federal Information Processing Standards (FIPS) Select the check box to enable Federal Information Processing Standards (FIPS). The installation wizard creates all key files and certificates using FIPS-approved algorithms. When using a certificate from a certificate authority (CA), if FIPS enablement is required, make sure the certificate was generated with FIPS-approved algorithms. By selecting this check box, the IBM Tivoli Directory Server will be configured to use the appropriate FIPS secure communications protocol. Click Next to continue. 12. Review the summary that lists by disk drive (for Windows) or file systems (for UNIX or Linux) the amount of disk space that is required to install the Tivoli Directory Server component and the prerequisite components (if not already installed), including space needed from symbolic links. Compare the amount of disk space required to the amount of disk space available. If sufficient space exists, click Next to continue.
13. Review the configuration options that you selected. If you want to change any of your selections, click Back. Click Next to begin the installation. Note: On Windows systems, you are prompted to intermittently restart your system.
366
14. Monitor the installation and configuration of the IBM Tivoli Directory Server and its prerequisite products.
15. When the restart panel is displayed, select to restart your computer now by clicking Next Note: Some operating systems might not require you to restart your computer. .
367
16. After the restart, the Configuration Tool runs automatically to complete server configuration. Continue to monitor the configuration process and click Finish when configuration has completed. Note: If the installation process encounters any problems, consult the installation log file, msg_ldaps_install.log file, located in the following directory: v On UNIX or Linux systems:
/tmp
%TEMP%
The installation wizard does not install the IBM Tivoli Directory Server Web Administration Tool. If you wish to administer Tivoli Directory Servers locally or remotely using a GUI, you can install it as described in Installing the Web Administration Tool on page 338.
368
Installing the policy server (install_ammgr wizard)

After you have successfully installed your user registry, the next step is to set up the Tivoli Access Manager policy server. The following scenario uses the install_ammgr wizard to install and configure the policy server using an LDAP type of registry. This program installs and configures all necessary software on your system, including Tivoli Access Manager components, related products, and associated patches. Operating system patches are not installed. Note: It is recommended that you set up your policy server system on a separate system than the registry server. To install and configure the Tivoli Access Manager policy server using the install_ammgr wizard, follow these steps: 1. Log on as root or as an administrative user. 2. If you are installing on the Windows system, stop any programs that are running and close all windows. If you have open windows, the initial InstallShield Wizard window might be hidden behind other windows. 3. Ensure that the registry server is up and running (in normal mode). 4. Insert the IBM Tivoli Access Manager Base CD for your particular platform. 5. If you are enabling Secure Sockets Layer (SSL) security between the policy server and the registry server: v If the policy server is on the same system as the IBM Tivoli Directory Server, skip to step 6. v Otherwise, manually copy the SSL key database file that you used to configure the IBM Tivoli Directory Server to a directory on this system. For example, if you had the LDAP server installation wizard automatically create the am_key.kdb key database file with a self-signed certificate, copy this file from the IBM Tivoli Directory Server system to a directory on this system. Note: The self-signed certificate provided in the am_key.kdb key database file acts as both a personal certificate and as a signer certificate and could be used to impersonate the server or for other malicious purposes. Use a certificate obtained from a Certificate Authority (CA) in production environments, as described in Chapter 23, Enabling Secure Sockets Layer (SSL) security, on page 473. 6. To start the installation wizard, change to the root of the CD is located and enter the following:
./install_ammgr
7. Select the language that you want to use for the installation and click OK.
8. The Welcome screen is displayed. Click Next to continue.
369
9. Read the license agreement and select the I accept check box if you agree to the terms. Click Next to continue.
10. Select the type of user registry that you plan to use for Tivoli Access Manager. For example, select LDAP as the type of registry server that you want to use. Click Next to continue.
11. Specify the IBM Tivoli Security Utilities installation directory.
UNIX or Linux systems: Skip to step 12. The installation wizard automatically installs IBM Tivoli Security Utilities into the following installation directory: /opt/IBM/Tivoli/SecUtilities 12. Specify the Access Manager Runtime installation directory.
370
Access Manager Runtime installation directory for UNIX or Linux: /opt/PolicyDirector 13. Select whether to enable Tivoli Common Directory. Selecting the check box means that you want to use the Tivoli Common Directory. If the check box is not selected, Tivoli Access Manager will write its message and trace log data to default locations that are defined by the Tivoli Access Manager product. If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed but it cannot be modified.
14. Do one of the following: v Windows systems: If not already installed, the next panels prompt you to specify installation directories for IBM Global Security Kit (GSKit), IBM DB2, and the IBM Tivoli Directory Server client. Accept the default directories or click Browse to select another directory. Click Next to continue. v UNIX or Linux systems: Skip to step 15. The installation wizard automatically installs IBM Global Security Kit (GSKit), IBM DB2, and the IBM Tivoli Directory Server client in the following directories: IBM Global Security Kit (GSKit) installation directory AIX: /usr/opt/ibm/gsksa and /usr/opt/ibm/gskta HP-UX and Solaris on x86_64: /opt/ibm/gsk7 HP-UX on Integrity v On 32-bit: /opt/ibm/gsk7_32 v On 64-bit: /opt/ibm/gsk7_64 Linux: /usr/local/ibm/gsk7 IBM Tivoli Directory Server client installation directory for AIX, HP-UX, HP-UX on Integrity, Solaris and Solaris on x86_64: /opt/IBM/ldap/V6.1 Linux: /opt/ibm/ldap/V6.1 15. Complete the following fields for the LDAP server and click Next.
371
v LDAP server host name Type the host name of the LDAP server. v LDAP server port The LDAP server port is already provided (389). If you changed this port number during configuration of the LDAP server, modify this value accordingly. 16. You are prompted to enable Secure Sockets Layer (SSL) with the registry server. For security purposes, select this check box and click Next and you are prompted for the SSL options listed in step 17.
17. If you selected to enable SSL, complete the following fields and select Next.
v SSL key file with full path Type the fully qualified path where the existing SSL key database file is located. If using the SSL key database file containing a self-signed certificate that was generated by the installation wizard, copy the key database file from the LDAP server to this system and specify that location here. v SSL key file password Type the password that is associated with the specified SSL key file.
372
v Certificate label Type the label for the SSL client certificate. This label is required only when SSL is being used and when the registry server has been configured to require server and client authentication. A certificate label is used to distinguish between multiple certificates within the SSL key file or when using a certificate other than the default certificate in the key file (for example: PDLDAP). Otherwise, leave this field blank. v SSL port The port number on which the registry server listens for SSL requests. SSL communication takes place between policy server and the registry server. Use the default port number, 636, which is server-dependent, or modify the port number, if needed. 18. Complete the following fields and click Next.
v IBM Tivoli Access Manager administrator password Create an administrator password for the security master ID (sec_master). You can use the administrator ID to define your own administrative IDs, groups, and their capabilities. Note: When creating Tivoli Access Manager passwords, make sure that the password meets the minimum strength requirements of the underlying operating system. Otherwise, you will have to unconfigure and reconfigure the policy server with a password that is valid for both Tivoli Access Manager and the operating system. v Password confirmation Type the password again for confirmation. v Policy server SSL port The SSL port number is already provided (7135). Modify the port number if needed. v SSL certificate lifecycle (days) Type the number of days that the SSL certificate file is valid. The default number of days is 1460 (4 years). v SSL connection timeout (seconds) Type the duration (in seconds) that an SSL connection waits for a response before timing out. The default number of seconds is 7200. 19. Specify the LDAP administrator and Management Domain information and click Next.
373
v LDAP administrator DN Type the LDAP administrator distinguished name or accept the default value (cn=root). v LDAP administrator password Type the password associated with the LDAP administrator DN. v Management domain name Type the name of the management domain. The initial administrative domain created when the policy server is configured is the management domain. The management domain name must be unique within the LDAP server. The name must be an alphanumeric string up to 64 characters long and is case-insensitive. v LDAP management domain location DN The distinguished name of the location within the LDAP server where the Access Manager metadata will be stored. By default, the management domain information will be stored in its own suffix using the following format: secAuthority=<management_domain_name>. Whether the distinguished name is specified or the default is used, the location must already exist in the LDAP server. For more information about management domains, see Tivoli Access Manager management domains on page 138. 20. Select one of the following types of formats for LDAP objects that are used to maintain the user and group tracking information and click Next.
374
The types of format include: Minimal This format is valid only for IBM Tivoli Access Manager Version 6.0 or later. Use this format if you want to reduce the size of your user registry information by using minimal user and group tracking information. Standard This format can be used with any version of IBM Tivoli Access Manager. Click Help for an explanation of the differences between the two formats. 21. Select whether to enable Federal Information Processing Standards (FIPS). Select the check box to enable FIPS. The installation wizard creates all keys and certificates using FIPS-approved algorithms. When using a certificate from a certificate authority (CA), if FIPS enablement is required, make sure the certificate was generated with FIPS-approved algorithms. By selecting this check box, the IBM Tivoli Directory Server will be configured to use the appropriate FIPS secure communications protocol.
22. Review the summary that lists by disk drive (for Windows) or file systems (for UNIX or Linux) the amount of disk space that is required to install the Tivoli Access Manager component and the prerequisite components (if not already installed), including space needed from symbolic links. Then compare the amount of disk space required to the amount of disk space available. If sufficient space exists, click Next to continue.
375
23. Review the configuration options that you selected. If you want to change any of your selections, click Back. Click Next to begin the installation. 24. Monitor the installation and configuration of the policy server and its prerequisite products.
Windows systems When prompted to restart your system, click Next. After your system is restarted, the installation wizard is displayed. Specify your language and click Next. When policy server configuration has completed, click Finish to exit the installation wizard. After configuring the policy server, you can set up additional Tivoli Access Manager systems in the management domain. For a list of Tivoli Access Manager systems, see Components and prerequisites provided with Tivoli Access Manager systems on page 15.
376
Chapter 21. Installation wizard options

This chapter describes configuration options that you are prompted for using installation wizards. Configuration options are included for the following installation wizards: v v v v v v v Access Manager Runtime (LDAP) on page 378 Access Manager Runtime (Active Directory) on page 382 Access Manager Runtime (Domino) on page 389 install_amacld on page 392 install_amadk on page 396 install_amjrte on page 397 install_ammgr on page 399
v install_amproxy on page 404 v install_amrte on page 408 v install_amsms on page 409 v v v v v install_amsmscli on page 420 install_amweb on page 424 install_amwebadk on page 430 install_amwebars on page 434 install_amwpi on page 435
v install_amwpm on page 439 v install_ldap_server on page 442
377
Access Manager Runtime (LDAP)

Table 25 lists configuration options for the Access Manager Runtime package when using an LDAP registry. You are prompted for these options during configuration of a Tivoli Access Manager system that requires this installation component. You are also prompted for these options when using the install_amrte installation wizard as instructed in Installing using the installation wizard on page 191. Note: You might not see all of the configuration options if a runtime or prerequisite component has already been installed or if you are not configuring for SSL.
Table 25. Access Manager Runtime options LDAP. * indicates a required option. Configuration Options Registry * Directory name * (for the IBM Global Security Kit (GSKit) prompted on Windows only) Default Value Specifies the type of registry server that must be set up for Tivoli Access Manager. Select LDAP, which is the default. Specifies the IBM Global Security Kit (GSKit) installation directory. The default directory is: C:\Program Files\ibm\gsk7 Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX: /usr/opt/ibm/gsksa and /usr/opt/ibm/gskta v HP-UX on Integrity On 32-bit: /opt/ibm/gsk7_32 On 64-bit: /opt/ibm/gsk7_64 v HP-UX and Solaris: /opt/ibm/gsk7 v Linux: /usr/local/ibm/gsk7 Directory name * (for the IBM Tivoli Directory Server client prompted on Windows only) Specifies the IBM Tivoli Directory Server client installation directory. The default directory is: C:\Program Files\IBM\LDAP\V6.1 Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX and Linux: /usr/ldap v HP-UX and Solaris: /opt/IBM/ldap/V6.1 Directory name * (for the IBM Tivoli Security Utilities prompted on Windows only) Specifies the IBM Tivoli Security Utilities installation directory. The default directory is: C:\Program Files\Tivoli\TivSecUtl Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX and Linux: /opt/IBM/Tivoli/SecUtilities
378
Table 25. Access Manager Runtime options LDAP (continued). * indicates a required option. Configuration Options Directory name * (for the Access Manager Runtime prompted on Windows only) Default Value Specifies the Access Manager Runtime installation directory. The default directory is: C:\Program Files\Tivoli\Policy Director Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux: /opt/PolicyDirector Enable Tivoli Common Directory for logging Select whether to enable Tivoli Common Directory. Selecting the check box means that you want to use the Tivoli Common Directory. If the check box is not selected, Tivoli Access Manager will write its message and trace log data to default locations that are defined by the Tivoli Access Manager product. Specifies the fully qualified path for the Tivoli Common Directory. v If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed in the field but it cannot be modified. v If the location of the Tivoli Common Directory has not previously been established on the system, you can specify its location. If Tivoli Common Directory is enabled and the directory location has not been previously established, the default common directory name is: v Windows: C:\Program Files\ibm\tivoli\common v UNIX or Linux: /var/ibm/tivoli/common Beneath the Tivoli Common Directory, each Tivoli product stores its information in a product-specific subdirectory. Each product-specific directory is named with a 3-character identifier. For example, for IBM Tivoli Access Manager: tivoli_common_dir/HPD See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for complete list of 3-character identifiers. If Tivoli Common Directory is not enabled, Tivoli Access Manager will write its message and trace log data to the following location: v Windows: C:\Program Files\Tivoli\Policy Director\log v UNIX or Linux: /var/PolicyDirector/log
Directory name * (for Tivoli Common Directory)
379
Table 25. Access Manager Runtime options LDAP (continued). * indicates a required option. Configuration Options Policy server host name * Default Value Specifies the host name or IP address of the Tivoli Access Manager policy server (pdmgrd). The policy server manages the policy database (sometimes referred to as master authorization database), updates the database replicas whenever a change is made to the master database, and replicates the policy information throughout the domains. The policy server also maintains location information about other resource managers operating in the domain. There must be at least one policy server defined for each domain. You can specify the fully qualified host name with or without the domain extension. Examples: pdmgr pdmgr.tivoli.com Policy server SSL port * Specifies the port number on which the policy server listens for SSL requests. The default port number is 7135.
Policy server CA certificate Specifies the name of the policy server certificate file that is file used by the certificate authority (CA), which is the Tivoli Access Manager certificate authority (PDCA). Configuration of the Tivoli Access Manager policy server creates and saves a default SSL base64-encoded, certificate authority file named pdcacert.b64. Note that the SSL key file and certificate are created using FIPS approved algorithms. To obtain this file, do one of the following tasks: v During configuration of Access Manager Runtime, if you leave this field blank, the pdcacert.b64 file will be automatically downloaded. v Manually copy the pdcacert.b64 file to the Tivoli Access Manager system before configuring the Access Manager Runtime component. You must distribute this file to each machine in your secure domain. It is needed for successful configuration. The default location is: v Windows: C:\Program Files\Tivoli\Policy Director\keytab\pdcacert.b64 v UNIX or Linux: /var/Policy Director/keytab/pdcacert.b64 Domain * Specifies the name of the Tivoli Access Manager default domain, which is known as the management domain. This domain is created when the policy server is configured. The default domain enforces security policies for authentication, authorization, and access control. Any security policy that is implemented in a domain affects only those objects in that domain. Users with authority to perform tasks in one domain do not necessarily have authority to perform those tasks in other domains. The default value is Default, which indicates the management domain. Specifies the host name or IP address of the LDAP type of registry server. You can specify the fully qualified host name with or without the domain extension. Examples: ldapserver or ldapserver.tivoli.com Specifies the port number on which the LDAP type of registry server listens for requests. The default port number is 389.
LDAP server host name *
LDAP server port *
380
Table 25. Access Manager Runtime options LDAP (continued). * indicates a required option. Configuration Options Enable SSL with the registry server (prompted on Windows only) Default Value Specifies whether to enable encrypted Secure Sockets Layer (SSL) connections with an LDAP server. Note: You must first configure the LDAP server for SSL access. Default: enabled (check box is selected) On Windows only, you can enable SSL with the LDAP server. If SSL is enabled, you are prompted for the next four values: SSL key file with full path * Specifies the fully qualified path where the existing SSL client key file is located. The key file holds the client-side certificates that are used in SSL communication. The file extension is always .kdb. Copy the SSL key file from the registry server system to any directory on your local system. SSL key file password * The existing password that is associated with the specified SSL key file. The client key file password was set when the key file was first created. Change this password by using the IBM Global Security Kit (GSKit) utility gsk7ikm. If changed, remember this password. Specifies the label for the SSL client certificate. This label is valid only when SSL is being used and when the LDAP server has been configured to require client authentication. For example: PDLDAP. Use a certificate label to distinguish between multiple certificates within the SSL key file or when using a certificate other than the default certificate in the key file. Otherwise, leave this field blank. SSL port * Specifies the port number on which the LDAP server listens for SSL requests. The default port number is 636.
Certificate label
381
Access Manager Runtime (Active Directory)

Table 26 lists configuration options for the Access Manager Runtime component when using an Active Directory registry. You are prompted for these options during configuration of a Tivoli Access Manager system that requires this installation component. You are also prompted for these options when using the install_amrte installation wizard as instructed in Installing using the installation wizard on page 191. Active Directory users can run Tivoli Access Manager on all Windows, UNIX or Linux platforms currently supported in the Tivoli Access Manager product (with the exception of Windows NT). UNIX or Linux platforms make use of the IBM Tivoli Directory Server client to communicate with Active Directory. This LDAP client is also used on the Windows platform where the Active Directory domain of the local host is different from the Active Directory domain where the policy server is to be configured. Note: You might not see all of the configuration options if a runtime or prerequisite component has already been installed or if you are not configuring for SSL.
Table 26. Access Manager Runtime options Active Directory. * indicates a required option. Configuration Options Registry * Directory name * (for the IBM Global Security Kit (GSKit) prompted on Windows only) Description Specifies the type of registry server set up for Tivoli Access Manager. Select Active Directory. Specifies the IBM Global Security Kit (GSKit) installation directory. The default directory is: C:\Program Files\ibm\gsk7 Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX: /usr/opt/ibm/gsksa and /usr/opt/ibm/gskta v HP-UX on Integrity On 32-bit: /opt/ibm/gsk7_32 On 64-bit: /opt/ibm/gsk7_64 v HP-UX and Solaris: /opt/ibm/gsk7 v Linux: /usr/local/ibm/gsk7 Directory name * (for the IBM Tivoli Directory Server client prompted on Windows only) Specifies the IBM Tivoli Directory Server client installation directory. The default directory is: C:\Program Files\ibm\LDAP Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX and Linux: /usr/ldap v HP-UX and Solaris: /opt/IBM/V6.1
382
Table 26. Access Manager Runtime options Active Directory (continued). * indicates a required option. Configuration Options Directory name * (for the IBM Tivoli Security Utilities prompted on Windows only) Description Specifies the IBM Tivoli Security Utilities installation directory. The default directory is:C:\Program Files\Tivoli\TivSecUtl Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX and Linux: /opt/IBM/Tivoli/SecUtilities Directory name * Specifies the Access Manager Runtime installation (for the Access Manager Runtime directory. The default directory is: C:\Program Files\Tivoli\Policy Director prompted on Windows only) Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux:/opt/PolicyDirector Enable Tivoli Common Directory Select whether to enable Tivoli Common Directory. for Logging Selecting the check box means that you want to use the Tivoli Common Directory. If the check box is not selected, Tivoli Access Manager will write its message and trace log data to default locations that are defined by the Tivoli Access Manager product.
383
Table 26. Access Manager Runtime options Active Directory (continued). * indicates a required option. Configuration Options Directory name * (for Tivoli Common Directory) Description Specifies the fully qualified path for the Tivoli Common Directory. v If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed in the field but it cannot be modified. v If the location of the Tivoli Common Directory has not previously been established on the system, you can specify its location. If Tivoli Common Directory is enabled and the directory location has not been previously established, the default common directory name is: v Windows: C:\Program Files\ibm\tivoli\common v UNIX or Linux: /var/ibm/tivoli/common Beneath the Tivoli Common Directory, each Tivoli product stores its information in a product-specific subdirectory. Each product-specific directory is named with a 3-character identifier. For example, for IBM Tivoli Access Manager: tivoli_common_dir/HPD See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for a complete list of 3-character identifiers. If Tivoli Common Directory is not enabled, Tivoli Access Manager will write its message and trace log data to the following location: v Windows: C:\Program Files\Tivoli\Policy Director\log v UNIX or Linux: /var/PolicyDirector/log Active Directory administrator ID Specifies the identifier for the administrator account of the Microsoft Active Directory domain. This administrator ID was created when the Microsoft Active Directory domain was created. This administrator ID should have been added to the groups of Administrators, Domain Administrators, enterprise Administrators, and Schema Administrators. Note that this administrator user account is for a Microsoft Active Directory user only, and not for a Tivoli Access Manager user. Specifies the password for the Microsoft Active Directory domain administrator ID. This administrator password was created when you created your Microsoft Active Directory administrator account.
Active Directory administrator password
384
Table 26. Access Manager Runtime options Active Directory (continued). * indicates a required option. Configuration Options Policy server host name * Description Specifies the host name or IP address of the Tivoli Access Manager policy server (pdmgrd). The policy server manages the policy database (sometimes referred to as master authorization database), updates the database replicas whenever a change is made to the master database, and replicates the policy information throughout the domains. The policy server also maintains location information about other resource managers operating in the domain. There must be at least one policy server defined for each domain. Example: pdmgr.tivoli.com Note: If you are using Active Directory as your registry, a fully-qualified host name is required. Policy server SSL port * Specifies the port number on which the Tivoli Access Manager policy server listens for SSL requests. The default port number is 7135. Specifies the name of the policy server certificate file that is used by the certificate authority (CA), which is the Tivoli Access Manager certificate authority (PDCA). Configuration of the Tivoli Access Manager policy server creates and saves a default SSL base64-encoded, certificate authority file named pdcacert.b64. Note that the SSL key file and certificate are created using FIPS approved algorithms. To obtain this file, do one of the following tasks: v During configuration of Access Manager Runtime, if you leave this field blank, the pdcacert.b64 file will be automatically downloaded. v Manually copy the pdcacert.b64 file to the Tivoli Access Manager system before configuring the Access Manager Runtime component. You must distribute this file to each machine in your secure domain. It is needed for successful configuration. The default location is: v Windows: C:\Program Files\Tivoli\Policy Director\keytab\pdcacert.b64 v UNIX or Linux: /var/Policy Director/keytab/ pdcacert.b64 Local host name * The installation wizard detects and fills in the host name of your system. Specifies the fully qualified name or IP address of the host system on which the registry server is to be located. For example: dana.tivoli.com
Policy server CA certificate file
385
Table 26. Access Manager Runtime options Active Directory (continued). * indicates a required option. Configuration Options Active Directory host name * Description Specifies the host name of the Microsoft Active Directory domain controller server. A Domain Name Service (DNS) automatically translates an Microsoft Active Directory host name into the corresponding IP address whenever you use a domain name. For example: adserver.tivoli.com Note: If you are using Active Directory as your registry, a fully-qualified host name is required. Active Directory domain * Specifies the name of the Microsoft Active Directory root (primary) domain. When a single Active Directory domain is configured, it can specify the name of the Microsoft Active Directory secondary domain. This name is domain-dependent, based on what you select during runtime configuration of Tivoli Access Manager. The domain information is necessary only when your user registry is Microsoft Active Directory and when you configure the use of multiple Microsoft Active Directory domains. For example:dc=tivoli,dc=com Configure to multiple Active Directory domains Select the check box to configure multiple Active Directory domains. If not selected, Tivoli Access Manager is configured to a single domain. An example of multiple Microsoft Active Directory domains is a Tivoli Access Manager single domain with multiple Microsoft Active Directory domains. When configured for multiple Microsoft Active Directory domains, the command line displays the Tivoli Access Manager administrator ID (the default is sec_master) as secmaster@domain_name Default: not enabled (Tivoli Access Manager is configured for a single domain). Enable encrypted connections (prompted on Windows only) Specifies whether encryption communication to Microsoft Active Directory should be used. When the check box is selected, Kerberos is used in the Microsoft Active Directory Service Interface (ADSI) to encrypt data in the connection to the Microsoft Active Directory server. This setting is equivalent to enabling an SSL connection in an environment other than Windows or in an environment on Windows where systems do not belong to Active Directory domains where the Tivoli Access Manager policy server is configured. Default: not enabled (Tivoli Access Manager is not configured for encryption).
386
Table 26. Access Manager Runtime options Active Directory (continued). * indicates a required option. Configuration Options Enable SSL with the registry server Description Specifies whether to enable encrypted Secure Sockets Layer (SSL) connections between the LDAP client and the registry server (Active Directory server). The check box will be selected automatically if the Enable encrypted connections check box is selected and if installing on a UNIX system or on systems that do not belong to an Active Directory domain where the Tivoli Access Manager policy server is configured. Note: You must first set up the registry server for SSL access before you set up the client. Select the check box to enable SSL communications to protect information, such as user passwords and private data. However, SSL is not required for Tivoli Access Manager to operate. SSL allows the data transmitted to be encrypted to provide data privacy and integrity. Default: not enabled (The check box is not selected) If SSL with the registry server is enabled, you are prompted for the next four values: SSL key file with full path * Specifies the fully qualified path where the existing SSL client key file is located. The key file holds the client-side certificates that are used in SSL communication. The file extension is always .kdb. This key file must be obtained using the IBM Global Security Kit (GSKit) gsk7ikm utility and the Active Directory server CA certificate. Copy the SSL key file from the registry server system to any directory on your local system. SSL key file password * The existing password that is associated with the specified SSL key file. The client key file password was set when the key file was first created. Change this password by using the IBM Global Security Kit (GSKit) utility gsk7ikm. If changed, remember this password. Specifies the label for the SSL client certificate. This label is valid only when SSL is being used and when the LDAP server has been configured to require client authentication. For example: PDLDAP. Use a certificate label to distinguish between multiple certificates within the SSL key file or when using a certificate other than the default certificate in the key file. Otherwise, leave this field blank. SSL port * Specifies the port number on which the registry server listens for SSL requests. The default port number is 636.
Certificate label
387
Table 26. Access Manager Runtime options Active Directory (continued). * indicates a required option. Configuration Options Access Manager data location distinguished name * Description Specifies the distinguished name that is used by Microsoft Active Directory to indicate where you want to store Tivoli Access Manager data. The default value is the input value for Active Directory Domain. For example: ou=myou,dc=tivoli,dc=com If Tivoli Access Manager is configured using multiple Active Directory domains, this value is automatically set to the value of the Active Directory primary domain. Note that this field is only prompted for input when the check box is not selected for Configure to Multiple Active Directory Domains. Make sure that the distinguished name is already created and exists for the Active Directory Server. The default value is the Microsoft Active Directory primary domain name.
388
Access Manager Runtime (Domino)

Table 27 lists configuration options for the Access Manager Runtime component when using a Domino registry (Windows only). You are prompted for these options during configuration of a Tivoli Access Manager system, which requires this installation component. You are also prompted for these options when using the install_amrte installation wizard as instructed in Installing using the installation wizard on page 191. Note: You might not see all of the configuration options if a runtime or prerequisite component has already been installed or if you are not configuring for SSL.
Table 27. Access Manager Runtime options Domino. * indicates a required option. Configuration Options Registry * Directory name * (for the IBM Global Security Kit (GSKit)) prompted on Windows only) Description Specifies the type of registry server set up for Tivoli Access Manager. Select Domino..
Specifies the IBM Global Security Kit (GSKit) installation directory. The default directory is: C:\Program Files\ibm\gsk7
Directory name * Specifies the IBM Tivoli Security Utilities installation directory. (for the IBM Tivoli Security The default directory is: Utilities C:\Program Files\Tivoli\TivSecUtl prompted on Windows only) Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX and Linux: /opt/IBM/Tivoli/SecUtilities Directory name * (for the Access Manager runtime prompted on Windows only) Enable Tivoli Common Directory for logging
Specifies the Access Manager Runtime installation directory. The default directory is: C:\Program Files\Tivoli\Policy Director Select whether to enable Tivoli Common Directory. Selecting the check box means that you want to use the Tivoli Common Directory. If the check box is not selected, Tivoli Access Manager will write its message and trace log data to default locations that are defined by the Tivoli Access Manager product.
389
Table 27. Access Manager Runtime options Domino (continued). * indicates a required option. Configuration Options Directory name * Description Specifies the fully qualified path for the Tivoli Common Directory. v If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed in the field but it cannot be modified. v If the location of the Tivoli Common Directory has not previously been established on the system, you can specify its location. If Tivoli Common Directory is enabled and the directory location has not been previously established, the default common directory name is: v Windows: C:\Program Files\ibm\tivoli\common v UNIX or Linux: /var/ibm/tivoli/common Beneath the Tivoli Common Directory, each Tivoli product stores its information in a product-specific subdirectory. Each product-specific directory is named with a 3-character identifier. For example, for IBM Tivoli Access Manager: tivoli_common_dir/HPD See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for a complete list of 3-character identifiers. If Tivoli Common Directory is not enabled, Tivoli Access Manager will write its message and trace log data to the following location: v Windows: C:\Program Files\Tivoli\Policy Director\log v UNIX or Linux: /var/PolicyDirector/log Policy server host name * Specifies the host name or IP address of the Tivoli Access Manager policy server (pdmgrd). The policy server manages the policy database (sometimes referred to by its original name of master authorization database), updates the database replicas whenever a change is made to the master database, and replicates the policy information throughout the domains. The policy server also maintains location information about other resource managers operating in the domain. There must be at least one policy server defined for each domain. You can specify the fully qualified host name with or without the domain extension. Examples: pdmgr pdmgr.tivoli.com Policy server SSL port * Specifies the port number on which the Tivoli Access Manager policy server listens for SSL requests. The default port number is 7135.
390
Table 27. Access Manager Runtime options Domino (continued). * indicates a required option. Configuration Options Description
Policy server CA certificate Specifies the name of the policy server certificate file that is file used by the certificate authority (CA), which is the Tivoli Access Manager certificate authority (PDCA). Configuration of the Tivoli Access Manager policy server creates and saves a default SSL base64-encoded, certificate authority file named pdcacert.b64. Note that the SSL key file and certificate are created using FIPS approved algorithms. To obtain this file, do one of the following tasks: v During configuration of Access Manager Runtime, if you leave this field blank, the pdcacert.b64 file will be automatically downloaded. v Manually copy the pdcacert.b64 file to the Tivoli Access Manager system before configuring the Access Manager Runtime component. You must distribute this file to each machine in your secure domain. It is needed for successful configuration. The default location is: v Windows: C:\Program Files\Tivoli\Policy Director\keytab\pdcacert.b64 v UNIX: /var/Policy Director/keytab/pdcacert.b64 Domino host name * Specifies the fully qualified name of the IBM Lotus Domino server. For example: domino1/Austin/Tivoli Notes client password * Specifies the password that is associated with the Notes client software administrative users ID file located on the IBM Lotus Domino server. Note: The Notes ID must be associated with a Tivoli Access Manager administrative ID with sufficient rights to add, modify, and deleted users and groups in the Notes address book (NAB) as well as to create, modify, and deleted the Tivoli Access Manager metadata database on the server. Specifies the IBM Lotus Notes name and address book (NAB), which contains your contacts, connections, locations, and Personal Address Book data. This database is located in the IBM Lotus Domino directory on your server. The database file name is set at configuration time and cannot be changed. The file name extension must always be .nsf. The file name conforms to the underlying operating system file naming conventions of the IBM Lotus Domino server. The default value is names.nsf. Specifies the name of the metadata database located on the IBM Lotus Domino server that is associated with Tivoli Access Manager data. The default value is PDMdata.nsf.
Notes address book database name *
Tivoli Access Manager database name *
391
install_amacld
Table 28 lists additional options prompted for during installation using the install_amacld wizard as instructed in Installing using the installation wizard on page 154. Note: You might not see all of the configuration options if a runtime or prerequisite component has already been installed or if you are not configuring for SSL.
Table 28. install_amacld configuration options. * indicates a required option. Configuration Options Registry * Description Select to specify the type of registry server set up for Tivoli Access Manager. The default value is LDAP. The valid types of registry servers supported by Tivoli Access Manager are: v LDAP To install the IBM Tivoli Directory Server user registry. v Active Directory To install the Microsoft Active Directory Server user registry. v Domino To install the IBM Lotus Domino Server user registry. The Tivoli Access Manager authorization server installation wizard (install_amacld) first prompts you for Access Manager Runtime configuration options based on the type of registry server. For descriptions of these configuration options, see one of the following runtimes: v Access Manager Runtime (LDAP) on page 378 v Access Manager Runtime (Active Directory) on page 382 v Access Manager Runtime (Domino) on page 389 Directory name * (for the IBM Tivoli Directory Server client prompted on Windows only) Specifies the IBM Tivoli Directory Server client installation directory. The default directory is: Windows: C:\Program Files\ibm\LDAP Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX and Linux: /usr/ldap v HP-UX and Solaris: /opt/IBM/V6.1 Directory name * (for the IBM Tivoli Security Utilities prompted on Windows only) Specifies the IBM Tivoli Security Utilities installation directory. The default directory is: C:\Program Files\Tivoli\TivSecUtl Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX and Linux: /opt/IBM/Tivoli/SecUtilities
392
Table 28. install_amacld configuration options (continued). * indicates a required option. Configuration Options Directory name * (for Access Manager Runtime prompted on Windows only) Description Specifies the Access Manager Runtime installation directory. The default directory is: C:\Program Files\Tivoli\Policy DirectorAlthough you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux: /opt/PolicyDirector Enable Tivoli Common Directory for logging Directory name * (for Tivoli Common Directory) Select to enable Tivoli Common Directorya central location on systems running Tivoli software for storing files, such as trace and message logs. Specifies the fully qualified path for the Tivoli Common Directory. v If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed in the field but it cannot be modified. v If the location of the Tivoli Common Directory has not previously been established on the system, you can specify its location. If Tivoli Common Directory is enabled and the directory location has not been previously established, the default common directories are: v Windows: C:\Program Files\ibm\tivoli\common v UNIX or Linux: /var/ibm/tivoli/common Beneath the Tivoli Common Directory, each Tivoli product stores its information in a product-specific subdirectory. Each product-specific directory is named with a 3-character identifier. For example, for IBM Tivoli Access Manager: tivoli_common_dir/HPD See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for a complete list of 3-character identifiers. If Tivoli Common Directory is not enabled, Tivoli Access Manager will write its message and trace log data to the following location: v Windows: C:\Program Files\Tivoli\Policy Director\log v UNIX or Linux: /var/PolicyDirector/log Policy server host name * Specifies the host name or IP address of the Tivoli Access Manager policy server (pdmgrd). The policy server manages the policy database (sometimes referred to by its original name of master authorization database), updates the database replicas whenever a change is made to the master database, and replicates the policy information throughout the domains. The policy server also maintains location information about other resource managers operating in the domain. There must be at least one policy server defined for each domain. For example: pdmgr pdmgr.tivoli.com
393
Table 28. install_amacld configuration options (continued). * indicates a required option. Configuration Options Policy server SSL port * Description Specifies the port number on which the policy server listens for SSL requests. The default port number is 7135.
Policy server CA certificate Specifies the name of the policy server certificate file that is file used by the certificate authority (CA), which is the Tivoli Access Manager certificate authority (PDCA). Configuration of the Tivoli Access Manager policy server creates and saves a default SSL base64-encoded, certificate authority file named pdcacert.b64. Note that the SSL key file and certificate are created using FIPS approved algorithms. To obtain this file, do one of the following tasks: v During configuration of Access Manager Runtime, if you leave this field blank, the pdcacert.b64 file will be automatically downloaded. v Manually copy the pdcacert.b64 file to the Tivoli Access Manager system before configuring the Access Manager Runtime component. You must distribute this file to each machine in your secure domain. It is needed for successful configuration. The default location is: v Windows: C:\Program Files\Tivoli\Policy Director\keytab\pdcacert.b64 v UNIX or Linux: /var/Policy Director/keytab/pdcacert.b64 Domain * Specifies the name of the Tivoli Access Manager default domain, which is known as the management domain. This domain is created when the policy server is configured. The default domain enforces security policies for authentication, authorization, and access control. Any security policy that is implemented in a domain affects only those objects in that domain. Users with authority to perform tasks in one domain do not necessarily have authority to perform those tasks in other domains. The default domain name is Default. Specifies the identifier for the existing administrator account of the Tivoli Access Manager management domain. The administrator ID was created when the Tivoli Access Manager policy server was first configured. The default administrator ID is sec_master. Specifies the password for the existing Tivoli Access Manager administrator ID. This administrator password was created when you created the Tivoli Access Manager administrator account. The installation wizard detects and fills in the host name of your system. Specifies the fully qualified name or IP address of the host system on which the Tivoli Access Manager authorization server is to be located. For example: dana.tivoli.com Specifies the port number on which the authorization server is listening for administration type of requests. Use the default port number value, which is server-dependent. The default port number for the Tivoli Access Manager authorization server is 7137.
Tivoli Access Manager administrator ID *
Tivoli Access Manager administrator password *
Local host name *
Administration request port *
394
Table 28. install_amacld configuration options (continued). * indicates a required option. Configuration Options Description
Authorization request port Specifies the port number on which the authorization server is * listening for authorization type of requests. Use the default port number value, which is server-dependent. The default port number for the Tivoli Access Manager authorization server is 7136. Enable SSL with the registry server (prompted on Windows only) Specifies whether to enable encrypted Secure Sockets Layer (SSL) communication between the Tivoli Access Manager authorization server and the registry server. Note: You must first configure the registry server for SSL access. Default: enabled (check box is selected) Enable the use of e-mail address as user ID Global Catalog server host name (Active Directory LDAP mode only) Global Catalog server port (Active Directory LDAP mode only) Enables the use of an email address as the userPrincipalname user ID. Specifies the Active Directory host name for the Global Catalog Server. Specifies the Active Directory Global Catalog port. For non-SSL enablement, the default is 3268. For SSL enablement, the default is 3269.
On UNIX only, you can enable SSL with the registry server. If SSL is enabled, you are prompted for the next four values: SSL key file with full path * Specifies the fully qualified path where the existing SSL client key file is located. The key file holds the client-side certificates that are used in SSL communication. The file extension is always .kdb. Copy the SSL key file from the registry server system to any directory on your local system and specify the path and full name using this option. SSL key file password * The existing password that is associated with the specified SSL key file. The client key file password was set when the key file was first created. Change this password by using the IBM Global Security Kit (GSKit) utility gsk7ikm. If changed, remember this password. Specifies the label for the SSL client certificate. This label is valid only when SSL is being used and when the LDAP server has been configured to require client authentication. For example: PDLDAP. Use a certificate label to distinguish between multiple certificates within the SSL key file or when using a certificate other than the default certificate in the key file. Otherwise, leave this field blank. SSL port * Specifies the port number on which the LDAP server listens for SSL requests. The default port number is 636.
Certificate label
395
install_amadk
The Access Manager Development (ADK) system wizard (install_amadk) prompts you for Access Manager Runtime configuration options based on the type of registry server. For descriptions of these configuration options, see one of the following runtimes: v Access Manager Runtime (LDAP) on page 378 v Access Manager Runtime (Active Directory) on page 382 v Access Manager Runtime (Domino) on page 389 There are no ADK-specific configuration options.
396
install_amjrte
Table 29 lists configuration option descriptions for an Access Manager Runtime for Java system. You are prompted for these options during configuration using the install_amjrte installation wizard as instructed in Chapter 7, Setting up an Access Manager Runtime for Java system, on page 173. Note: You might not see all of the configuration options if a runtime or prerequisite component has already been installed or if you are not configuring for SSL.
Table 29. install_amjrte configuration options. * indicates a required option. Configuration Options Directory name * (prompted on Windows only) Description Specifies the Access Manager Runtime for Java directory. The default directory is: C:\Program Files\Tivoli\Policy Director Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux:/opt/PolicyDirector Enable Tivoli Common Directory for logging Directory name * Select to enable Tivoli Common Directorya central location on systems running Tivoli software for storing files, such as trace and message logs. Specifies the fully qualified path for the Tivoli Common Directory. v If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed in the field but it cannot be modified. v If the location of the Tivoli Common Directory has not previously been established on the system, you can specify its location. If Tivoli Common Directory is enabled and the directory location has not been previously established, the default common directory name is: v Windows: C:\Program Files\ibm\tivoli\common v UNIX or Linux: /var/ibm/tivoli/common Beneath the Tivoli Common Directory, each Tivoli product stores its information in a product-specific subdirectory. Each product-specific directory is named with a 3-character identifier. For example, for IBM Tivoli Access Manager: tivoli_common_dir/HPD See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for a complete list of 3-character identifiers. If Tivoli Common Directory is not enabled, Tivoli Access Manager will write its message and trace log data to the following location: v Windows: C:\Program Files\Tivoli\Policy Director\log v UNIX or Linux: /var/PolicyDirector/log
397
Table 29. install_amjrte configuration options (continued). * indicates a required option. Configuration Options Policy server host name * Description Specifies the host name or IP address of the Tivoli Access Manager policy server. The policy server manages the policy database (sometimes referred to by its original name of master authorization database), updates the database replicas whenever a change is made to the master database, and replicates the policy information throughout the domains. The policy server also maintains location information about other resource managers operating in the domain. There must be at least one policy server defined for each domain. Examples: pdmgr pdmgr.tivoli.com Policy server SSL port * JRE directory * Specifies the port number on which the policy server listens for SSL requests. The default port number is 7135. Specifies the fully qualified path of the Java Runtime Environment (JRE) that is being configured for Tivoli Access Manager. The path is the JRE that was installed and included with the server you are installing. The default JRE directory location is server dependent and is also server-version dependent. The default JRE directory value is the $JAVA_HOME environment variable. If you installed using the -is:javahome option, the path shown is that specified as the javahome option.
398
install_ammgr
The Tivoli Access Manager policy server installation wizard (install_ammgr) first prompts you for Access Manager Runtime configuration options based on the type of registry server. For descriptions of these configuration options, see one of the following runtimes: v Access Manager Runtime (LDAP) on page 378 v Access Manager Runtime (Active Directory) on page 382 v Access Manager Runtime (Domino) on page 389 Table 30 lists additional options prompted for during installation using the install_ammgr wizard as instructed in Installing using the installation wizard on page 141. Notes: 1. Depending on whether you are installing on a Windows, UNIX or Linux platform, you might be prompted for these options in a different order than listed. 2. You might not see all of the configuration options if a runtime or prerequisite component has already been installed or if you are not configuring for SSL.
Table 30. install_ammgr configuration options. * indicates a required option. Configuration Options Registry * Description Select to specify the type of registry server that has been set up for Tivoli Access Manager. The default value is LDAP. The valid types of registry servers supported by Tivoli Access Manager are: v LDAP To install the IBM Tivoli Directory Server user registry. v Active Directory To install the Microsoft Active Directory Server user registry. v Domino To install the IBM Lotus Domino Server user registry. The Tivoli Access Manager policy server installation wizard (install_ammgr) first prompts you for Access Manager Runtime configuration options based on the type of registry server. For descriptions of these configuration options, see one of the following runtimes: v Access Manager Runtime (LDAP) on page 378 v Access Manager Runtime (Active Directory) on page 382 v Access Manager Runtime (Domino) on page 389
399
Table 30. install_ammgr configuration options (continued). * indicates a required option. Configuration Options Directory name * (for the IBM Global Security Kit (GSKit) prompted on Windows only) Description Specifies the IBM Global Security Kit (GSKit) installation directory if not already installed. The default directory is: C:\Program Files\ibm\gsk7 Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX: /usr/opt/ibm/gsksa and /usr/opt/ibm/gskta v HP-UX and Solaris: /opt/ibm/gsk7 v HP-UX on Integrity On 32-bit: /opt/ibm/gsk7_32 On 64-bit: /opt/ibm/gsk7_64 v Linux: /usr/local/ibm/gsk7 Directory name * (for the IBM Tivoli Directory Server client prompted on Windows only) Specifies the IBM Tivoli Directory Server client installation directory if not already installed. The default directory is: C:\Program Files\ibm\LDAP Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX and Linux: /usr/ldap v HP-UX and Solaris: /opt/IBM/V6.1 Specifies the IBM Tivoli Security Utilities installation directory. Directory name * (for the IBM Tivoli Security The default directory is: Utilities C:\Program Files\Tivoli\TivSecUtl prompted on Windows only) Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX and Linux: /opt/IBM/Tivoli/SecUtilities Directory name * (for the Access Manager Runtime prompted on Windows only) Specifies the Access Manager Runtime installation directory if not already installed. The default directory is: C:\Program Files\Tivoli\Policy Director Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux:/opt/PolicyDirector Enable Tivoli Common Directory for logging Select to enable Tivoli Common Directorya central location on systems running Tivoli software for storing files, such as trace and message logs.
400
Table 30. install_ammgr configuration options (continued). * indicates a required option. Configuration Options Directory name * (for Tivoli Common Directory) Description Specifies the fully qualified path for the Tivoli Common Directory. v If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed in the field but it cannot be modified. v If the location of the Tivoli Common Directory has not previously been established on the system, you can specify its location. If Tivoli Common Directory is enabled and the directory location has not been previously established, the default common directories are: v Windows: C:\Program Files\ibm\tivoli\common v UNIX or Linux: /var/ibm/tivoli/common Beneath the Tivoli Common Directory, each Tivoli product stores its information in a product-specific subdirectory. Each product-specific directory is named with a 3-character identifier. For example, for IBM Tivoli Access Manager: tivoli_common_dir/HPD See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for a complete list of 3-character identifiers. If Tivoli Common Directory is not enabled, Tivoli Access Manager will write its message and trace log data to the following location: v Windows: C:\Program Files\Tivoli\Policy Director\log v UNIX or Linux: /var/PolicyDirector/log LDAP server host name * Specifies the host name or IP address of the registry server. You can specify the fully qualified host name with or without the domain extension. Examples: registryserver or registryserver.tivoli.com Specifies the port number on which the registry server listens for requests. The default port number is 389. Specifies whether to enable encrypted Secure Sockets Layer (SSL) communication between the Tivoli Access Manager policy server and the registry server. Note: You must first configure the registry server for SSL access. Default: enabled (check box is selected) Specifies the password for the Tivoli Access Manager administrator ID. Specifies the Tivoli Access Manager administrator password again for confirmation. Specifies the port number on which the policy server listens for SSL requests. The default port number is 7135. Specifies the number of days that the SSL certificate file is valid. The default number of days is 1460 (4 years).
LDAP server port * Enable SSL with the registry server
Tivoli Access Manager administrator password * Tivoli Access Manager password confirmation * Policy server SSL port * SSL certificate lifecycle (days) *
401
Table 30. install_ammgr configuration options (continued). * indicates a required option. Configuration Options SSL connection timeout (seconds) * Description Specifies the duration (in seconds) that an SSL connection waits for a response before timing out. The default number of seconds is 7200.
Enable Federal Information Select the check box to enable Federal Information Processing Processing Standards Standards (FIPS). The installation wizard creates all keys and (FIPS) certificates using FIPS-approved algorithms. When using a certificate from a certificate authority (CA), if FIPS enablement is required, make sure the certificate was generated with FIPS-approved algorithms. By selecting this check box, the IBM Tivoli Directory Server will be configured to use the appropriate FIPS secure communications protocol. Default: not enabled (The check box is not selected.) You can enable SSL with the registry server. If SSL is enabled, you are prompted for the next four values: SSL key file with full path * Specifies the fully qualified path where the existing SSL client key file is located. The key file holds the client-side certificates that are used in SSL communication. The file extension is always .kdb. Copy the SSL key file from the registry server system to any directory on your local system and set the key file and path using this option. SSL key file password * The existing password that is associated with the specified SSL key file. The client key file password was set when the key file was first created. Change this password by using the IBM Global Security Kit (GSKit) utility gsk7ikm. If changed, remember this password. Specifies the label for the SSL client certificate. This label is valid only when SSL is being used and when the LDAP server has been configured to require client authentication. For example: PDLDAP. Use a certificate label to distinguish between multiple certificates within the SSL key file or when using a certificate other than the default certificate in the key file. Otherwise, leave this field blank. SSL port * Specifies the port number on which the LDAP server listens for SSL requests. The default port number is 636.
Certificate label
If you enable SSL with an LDAP server, you are also prompted for the following two values: LDAP administrator DN * LDAP administrator password * Specifies the distinguished name of the LDAP administrator. The default name is cn=root. Specifies the password associated with the LDAP administrator DN.
402
Table 30. install_ammgr configuration options (continued). * indicates a required option. Configuration Options Description
Management domain name The name of the management domain. The initial administrative domain created when the policy server is configured is the management domain. The management domain name must be unique within the LDAP server. The name must be an alphanumeric string up to 64 characters long and is case-insensitive. The default is Default. For more information about management domains, see Tivoli Access Manager management domains on page 138. LDAP management domain name location DN The distinguished name of the location within the LDAP server where the Access Manager metadata will be stored. By default, the management domain information will be stored in its own suffix using the format secAuthority=<management_domain_name>. Whether the distinguished name is specified or the default is used, the location must already exist in the LDAP server. For more information about management domains, see Tivoli Access Manager management domains on page 138.
403
install_amproxy
Table 31 lists additional options prompted for during installation using the install_amproxy wizard as instructed in Installing using the installation wizard on page 181. Note: You might not see all of the configuration options if a runtime or prerequisite component has already been installed or if you are not configuring for SSL.
Table 31. install_amproxy configuration options. * indicates a required option. Configuration Options Registry * Description Select to specify the type of registry server that has been set up for Tivoli Access Manager. LDAP is the default. The Tivoli Access Manager policy proxy server installation wizard (install_amproxy) first prompts you for Access Manager Runtime configuration options based on the type of registry server. For descriptions of these configuration options, see one of the following runtimes: v Access Manager Runtime (LDAP) on page 378 v Access Manager Runtime (Active Directory) on page 382 v Access Manager Runtime (Domino) on page 389 Directory name * (for the IBM Global Security Kit (GSKit) prompted on Windows only) Specifies the IBM Global Security Kit (GSKit) installation directory if not already installed. The default directory is: C:\Program Files\ibm\gsk7 Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX: /usr/opt/ibm/gsksa and /usr/opt/ibm/gskta v HP-UX and Solaris: /opt/ibm/gsk7 v HP-UX on Integrity On 32-bit: /opt/ibm/gsk7_32 On 64-bit: /opt/ibm/gsk7_64 v Linux: /usr/local/ibm/gsk7 Directory name * (for the IBM Tivoli Directory Server client prompted on Windows only) Specifies the IBM Tivoli Directory Server client installation directory if not already installed. The default directory is: C:\Program Files\ibm\LDAP Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX and Linux: /usr/ldap v HP-UX and Solaris: /opt/IBM/V6.1 Specifies the IBM Tivoli Security Utilities installation Directory name * (for the IBM Tivoli Security directory. The default directory is: Utilities C:\Program Files\Tivoli\Policy Director prompted on Windows only) Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX and Linux: /opt/IBM/Tivoli/SecUtilities
404
Table 31. install_amproxy configuration options (continued). * indicates a required option. Configuration Options Directory name * (for the Access Manager Runtime prompted on Windows only) Description Specifies the Access Manager Runtime installation directory if not already installed. The default directory is:C:\Program Files\Tivoli\Policy Director Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux:/opt/PolicyDirector Enable Tivoli Common Directory for logging Select whether to enable Tivoli Common Directory. Selecting the check box means that you want to use the Tivoli Common Directory. If the check box is not selected, Tivoli Access Manager will write its message and trace log data to default locations that are defined by the Tivoli Access Manager product. Specifies the fully qualified path for the Tivoli Common Directory. v If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed in the field but it cannot be modified. v If the location of the Tivoli Common Directory has not previously been established on the system, you can specify its location. If Tivoli Common Directory is enabled and the directory location has not been previously established, the default common directories are: v Windows: C:\Program Files\ibm\tivoli\common v UNIX or Linux: /var/ibm/tivoli/common Beneath the Tivoli Common Directory, each Tivoli product stores its information in a product-specific subdirectory. Each product-specific directory is named with a 3-character identifier. For example, for IBM Tivoli Access Manager: tivoli_common_dir/HPD See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for a complete list of 3-character identifiers. If Tivoli Common Directory is not enabled, Tivoli Access Manager will write its message and trace log data to the following location: v Windows: C:\Program Files\Tivoli\Policy Director\log v UNIX or Linux: /var/PolicyDirector/log
405
Table 31. install_amproxy configuration options (continued). * indicates a required option. Configuration Options Policy server host name * Description Specifies the host name or IP address of the Tivoli Access Manager policy server (pdmgrd). The policy server manages the policy database (sometimes referred to by its original name of master authorization database), updates the database replicas whenever a change is made to the master database, and replicates the policy information throughout the domains. The policy server also maintains location information about other resource managers operating in the domain. There must be at least one policy server defined for each domain. For example: pdmgr pdmgr.tivoli.com Policy server SSL port * Policy server CA certificate file Specifies the port number on which the policy server listens for SSL requests. The default port number is 7135. Specifies the name of the policy server certificate file that is used by the certificate authority (CA), which is the Tivoli Access Manager certificate authority (PDCA). Configuration of the Tivoli Access Manager policy server creates and saves a default SSL base64-encoded, certificate authority file named pdcacert.b64. Note that the SSL key file and certificate are created using FIPS approved algorithms. To obtain this file, do one of the following tasks: v During configuration of Access Manager Runtime, if you leave this field blank, the pdcacert.b64 file will be automatically downloaded. v Manually copy the pdcacert.b64 file to the Tivoli Access Manager system before configuring the Access Manager Runtime component. You must distribute this file to each machine in your secure domain. It is needed for successful configuration. The default location is: v Windows: C:\Program Files\Tivoli\Policy Director\keytab\pdcacert.b64 v UNIX or Linux: /var/Policy Director/keytab/pdcacert.b64 Domain * Specifies the name of the Tivoli Access Manager default domain, which is known as the management domain. This domain is created when the policy server is configured. The default domain enforces security policies for authentication, authorization, and access control. Any security policy that is implemented in a domain affects only those objects in that domain. Users with authority to perform tasks in one domain do not necessarily have authority to perform those tasks in other domains. The default domain name is Default.
Registry server host name * Specifies the host name or IP address of the registry server. You can specify the fully qualified host name with or without the domain extension. Examples: registryserver or registryserver.tivoli.com Registry server port * Tivoli Access Manager administrator ID * Specifies the port number on which the registry server listens for requests. The default port number is 389. Specifies the administrator identifier of the Tivoli Access Manager management domain. The default administrator ID is sec_master.
406
Table 31. install_amproxy configuration options (continued). * indicates a required option. Configuration Options Tivoli Access Manager administrator password * Local host name * Description Specifies the password for the Tivoli Access Manager administrator ID. The installation wizard detects and fills in the host name of your system. Specifies the fully qualified name or IP address of the host system on which the policy proxy server is to be located. For example: dana.tivoli.com Administration request port Specifies the administration request port. The default port * number is 7137. Proxy request port * Enable SSL with the registry server (prompted on Windows only) Specifies the authorization request port number. The default port number is 7138. Specifies whether to enable encrypted Secure Sockets Layer (SSL) communication between the Tivoli Access Manager policy proxy server and the registry server. Note: You must first configure the registry server for SSL access. Default: enabled (check box is selected) On Windows only, you can enable SSL with the registry server. If SSL is enabled, you are prompted for the next four values: SSL key file with full path * Specifies the fully qualified path where the existing SSL client key file is located. The key file holds the client-side certificates that are used in SSL communication. The file extension is always .kdb. Copy the SSL key file from the registry server system to any directory on your local system and set the key file and path using this option. SSL key file password * The existing password that is associated with the specified SSL key file. The client key file password was set when the key file was first created. Change this password by using the IBM Global Security Kit (GSKit) utility gsk7ikm. If changed, remember this password. Specifies the label for the SSL client certificate. This label is valid only when SSL is being used and when the LDAP server has been configured to require client authentication. For example: PDLDAP. Use a certificate label to distinguish between multiple certificates within the SSL key file or when using a certificate other than the default certificate in the key file. Otherwise, leave this field blank. SSL port * Specifies the port number on which the registry server listens for SSL requests. The default port number is 636.
Certificate label
407
install_amrte
The Tivoli Access Manager runtime system wizard (install_amrte) prompts you for Access Manager Runtime configuration options based on the type of registry server. For descriptions of these configuration options, see one of the following runtimes: v Access Manager Runtime (LDAP) on page 378 v Access Manager Runtime (Active Directory) on page 382 v Access Manager Runtime (Domino) on page 389 Note: You might not see all of the configuration options if a runtime or prerequisite component has already been installed or if you are not configuring for SSL.
408
install_amsms
Table 32 lists additional options prompted for during installation using the install_amsms wizard as instructed in Installing using the installation wizard on page 282. Notes: 1. You might not see all of the configuration options if a runtime or prerequisite component has already been installed or if you are not configuring for SSL. 2. If the policy server has Federal Information Processing Standard (FIPS) mode enabled, then WebSphere Application Server must be installed and FIPS enabled before using this installation wizard.
Table 32. install_amsms configuration options. * indicates a required option. Configuration Options Directory name * (for the IBM Tivoli Security Utilities prompted on Windows only) Description Specifies the IBM Tivoli Security Utilities installation directory. The default directory is: C:\Program Files\Tivoli\Policy Director Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX and Linux: /opt/IBM/Tivoli/SecUtilities Directory name * (for the Access Manager Runtime prompted on Windows only) Specifies the Access Manager Runtime installation directory. The default directory is: C:\Program Files\Tivoli\Policy Director Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux:/opt/PolicyDirector Enable Tivoli Common Directory for logging Select whether to enable Tivoli Common Directory. Selecting the check box means that you want to use the Tivoli Common Directory. If the check box is not selected, Tivoli Access Manager will write its message and trace log data to default locations that are defined by the Tivoli Access Manager product.
409
Table 32. install_amsms configuration options (continued). * indicates a required option. Configuration Options Directory name * Description Specifies the fully qualified path for the Tivoli Common Directory. v If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed in the field but it cannot be modified. v If the location of the Tivoli Common Directory has not previously been established on the system, you can specify its location. v Windows: C:\Program Files\ibm\tivoli\common v UNIX or Linux: /var/ibm/tivoli/common Beneath the Tivoli Common Directory, each Tivoli product stores its information in a product-specific subdirectory. Each product-specific directory is named with a 3-character identifier. For example, for IBM Tivoli Access Manager: tivoli_common_dir/HPD See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for a complete list of 3-character identifiers. If Tivoli Common Directory is not enabled, Tivoli Access Manager will write its message and trace log data to the following location: v Windows: C:\Program Files\Tivoli\Policy Director\log v UNIX or Linux: /var/PolicyDirector/log Directory name * (for the Access Manager Session Management Server prompted on Windows only) Specifies the session management server installation directory. The default directory is: C:\Program Files\Tivoli\PDSMS Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux: /opt/Tivoli/PDSMS Enable integration with Tivoli Access Manager Select the check box to enable Tivoli Access Manager integration. Enabling Tivoli Access Manager integration is required to support the credential refresh administration function and the auditing of events that are specific to Tivoli Access Manager. Also, when integration is enabled, the Tivoli Access Manager SSL certificates are available for use. If enabled, you will be prompted for further Tivoli Access Manager configuration information. Default: enabled (The check box is selected.) Enable enforcement of session limit and displacement policy Select the check box to enable enforcement of the session limit and displacement policy. Enabling of this option is required to support the ability to limit the number of concurrent sessions for a user, and to limit the total number of sessions within a session realm. Default: enabled (The check box is selected.)
410
Table 32. install_amsms configuration options (continued). * indicates a required option. Configuration Options Client idle timeout (seconds) * Description The length of time in seconds that the connection between the session management server and client application waits before timing out. Match the client idle timeout value with the session inactivity timeout value as set in the Tivoli Access Manager WebSEAL or Web security plug-in configuration. A valid timeout value is any positive integer number. Because there is no maximum timeout number of seconds, use a value that is reasonable length of time to wait for a connection. A value of zero is not allowed. Default: 600 seconds (10 minutes) Key lifecycle (days) * Specifies the length of time in days that the current Tivoli Access Manager session management server key remains active and valid, before it expires. The key lifetime setting controls how frequently this key is automatically refreshed. The key is used to prevent forgery of session cookies and denial of service (DoS) attacks on the session management server. A valid key lifetime value is any positive integer number. Because there is no maximum lifetime number of days, use a value that is reasonable number of days before expiration occurs. A value of zero disables automatic key refresh. Default: 180 days IBM WebSphere Application Server host name * Specifies the host name or IP address of the host system on which IBM WebSphere Application Server is located. If deploying to a cluster, make sure the host name is for an IBM WebSphere Application Server that is located in the cluster. You can specify the host name with or without the domain extension. The dot (.) cannot be the last character of the host name. Examples: wasserver1.tivoli.com wasserver1 IBM WebSphere Application Server port * Specifies the port number on which the application server listens for SOAP administration requests. Change this value to the port number used by your WebSphere Application Server. The default port number is 8879, which is the default for WebSphere Application Server Network Deployment. Enable SSL with the IBM WebSphere Application Server Select the check box to enable SSL communication with the IBM WebSphere Application Server for the configuration session only. SSL communication is used only for obtaining installation configuration information from the IBM WebSphere Application Server. The SSL configuration session allows the data, which is transmitted between the session management server and the IBM WebSphere Application Server, to be encrypted to provide data privacy and integrity during configuration. Default: enabled (The check box is selected)
411
Table 32. install_amsms configuration options (continued). * indicates a required option. Configuration Options IBM WebSphere Application Server administrator ID * Description Specifies the identifier for an existing administrator account for the IBM WebSphere Application Server. All administrator IDs must follow the IBM WebSphere Application Server naming policy. The administrator ID is an alphanumeric string. The string might be case-sensitive or case-insensitive, depending on the registry that is configured for IBM WebSphere Application Server. Specifies the existing password for the specified IBM WebSphere Application Server administrator ID. This administrator password was created when you created the IBM WebSphere Application Server administrator account. Specifies the fully qualified path where the existing trust store file is located. Use the trust store file to handle server-side certificates that are used in SSL communication. The trust store file verifies the certificate presented by the server. The signer of the SSL certificate must be recognized as a trusted certificate authority (CA). Any file extension can be used, but the file extension normally relates to the type of trust store file format. For example, for a Java Key Store (JKS) file format: c:\keytab\mytrust.jks Specifies the existing password that protects the SSL trust store file if a secure connection with the IBM WebSphere Application Server is being used. The trust store file password was set when the trust store file was first created. For example: WebAS
IBM WebSphere Application Server administrator password * Trust store file with full path *
Trust store file password *
SSL key file with full path * Specifies the fully qualified path where the existing key file is located. The key file holds the client-side certificates that are used in SSL communication. The key file is used when communicating with the Tivoli Access Manager session management server. Any file extension can be used, but the file extension normally relates to the type of key file format. For example, for a Java Key Store (JKS) file format: c:\keytab\mykeys.jks SSL key file password * Specifies the existing password that is associated with the specified client key file. The key file password was set when the key file was first created. Select the existing application server or cluster where the Tivoli Access Manager session management server Web service is to be deployed. The types of deployment that are recognized by IBM WebSphere Application Server are: v A clusterSpecify the existing cluster to which the session management server Web service will be deployed. v A single application serverSpecify the existing application server to which the session management server Web service will be deployed. Select at least one application server or cluster from the list displayed.
Application servers and clusters
412
Table 32. install_amsms configuration options (continued). * indicates a required option. Configuration Options Storage type * Description Specifies the data sources configured in the IBM WebSphere Application Server that can be used by the session management server for storing session data. The IBM WebSphere Application Server is queried for the storage types. All the JDBC storage types that are currently configured for the IBM WebSphere Application Server are displayed. For example: DB2 Data Source The storage type selected will be used by the session management server for storing last login data. Note: The Memory storage type is for testing and demonstration purposes only. If the session management server has been configured with a data source for the session data storage type, the only data source available for storing login data will be the same as that specified for session data. The Memory storage type can still be used for login data when a data source has been specified for the session data storage type. Select one of the storage types displayed. Enable database storage of session data Specifies whether to store session data to the selected JDBC data source. This option is only available if you are not deploying to a clustered WebSphere Application Server environment. By default, this option is disabled. Specifies the location of the existing IBM WebSphere Application Server installation. The default directory is: C:\Program Files\IBM\WebSphere\AppServer Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX: /usr/IBM/WebSphere/AppServer v HP-UX, Linux and Solaris: /opt/IBM/WebSphere/ AppServer
Directory name * (for IBM WebSphere Application Server prompted on Windows only)
413
Table 32. install_amsms configuration options (continued). * indicates a required option. Configuration Options New replica set * Description Specifies the name for the replica set to be used by the Tivoli Access Manager session management server. A replica set is a collection of replicated Web security servers (Tivoli Access ManagerWebSEAL or Web server plug-ins). To create and name a new replica set, type the name, and then click Add replica set. Repeat the procedure until you have created all the new replica set names that you want to add. Commas cannot be used for the replica set name. Replica sets and session realms cannot have the same name. The replica set names that are defined must match the names that are being used by the Web security server (Tivoli Access Manager WebSEAL or Web server plug-in) configuration settings v For WebSEAL virtual host junctions, the replica set is the virtual host name of the junction or the replica set name that was specified with the -z option when the junction was created). v For WebSEAL normal junctions, the replica set is specified in the WebSEAL configuration file. The default value is default. v For the Web server plug-ins, the replica set is specified in the Web server plug-in configuration file. The default replica set name is the name of the virtual host. Session realms * Select a session realm for the defined replica set from the list by highlighting the session realm name. If there are no session realms, the field will display the default value -no realmNote: If you do not need these capabilities, session realms do not need to be defined. The replica set can belong to a session realm. A session realm is a collection of replica sets. Session realms are used to provide single sign-on (SSO), session administration, and session policy enforcement across a number of replica sets. Replica sets * Displays a list of all the names of replica sets that have been defined. At least one replica set must be defined. To undo the replica set definition, highlight the replica set name to select it, and then click Remove replica set. Repeat the procedure until you have removed all the replica set names that you want to undo.
414
Table 32. install_amsms configuration options (continued). * indicates a required option. Configuration Options New session realm * Description Specifies the name for the newly created session realm to be used by the session management server. A session realm is a collection of replica sets. A replica set is a collection of replicated Web security servers (Tivoli Access Manager WebSEAL or Web server plug-ins). Session realms are used to provide single sign-on (SSO), session administration, and session policy enforcement across a number of replica sets. Commas cannot be used for the session realm name. Session realms and replica sets cannot have the same name. Note: If you do not need these capabilities, sessions realms do not need to be defined. To add a new session realm, type the name of the session realm in the Realm field, and then enter the maximum number of concurrent logins allowed for the session realm in the Limit field. The session realm name is an alphanumeric, case-insensitive string. String values should be characters that are part of the local code set. Commas cannot be used for the session realm name. Session realms and replica sets cannot have the same name. If no limit is specified, an unlimited number of concurrent logins will be allowed for the session realm. When you have entered the desired realm name and limit, click Add session realm to add the new session realm. Repeat the procedure until you have created and named all the new session realms that you want to add. Session realms * Displays a list of all the names of session realms that have been created. To undo the creation and naming of the session realm from the list, highlight the session realm name to select it, and then click Remove session realm. Repeat the procedure until you have removed all the session realm names. Select the check box to record session management server last login data. Last login data includes the date and time of the last login (from the current browser) and the number of failed login attempts since the last successful login before the current login. This data can be displayed on a browser, if required. When enabled, you will be prompted for further database table name and recording configuration information. Default: enabled (The check box is selected)
Enable recording of last login
415
Table 32. install_amsms configuration options (continued). * indicates a required option. Configuration Options Storage type * Description Specifies the data sources configured in the IBM WebSphere Application Server that can be used by the session management server for storing session data. The IBM WebSphere Application Server is queried for the storage types. All the JDBC storage types that are currently configured for the IBM WebSphere Application Server are displayed. For example, DB2 Data Source The storage type selected will be used by the session management server for storing last login data. Note: The Memory storage type is for testing and demonstration purposes only. If the session management server has been configured with a data source for the session data storage type, the only data source available for storing login data will be the same as that specified for session data. The Memory storage type can still be used for login data when a data source has been specified for the session data storage type. Database table name * Specifies the name of the database table that will be used for recording the last login data. Last login data includes the date and time of the last login (from the current browser) and the number of failed login attempts since the last successful login before the current login. Accept the default database table name or create another name. The name is an alphanumeric, case-insensitive string. String values should be valid characters that are part of the local code set. The default name is AMSMSUSERINFOTABLE Specifies the default maximum number of entries that will be stored in memory. The default value is 5000 Specifies the server-side path for the last login .jsp file. The default value is lastLogin.jsp.
Memory cache maximum number of entries * Last login path
Last login file with full path Specifies the fully qualified path where the login file is * located. A login file is a dynamic Web page that is customized to be displayed when a user logs in. The users last login data can be displayed. The login file can be named any valid name but the default file name is lastLogin.jsp. The set of characters that are permitted in a file name can be determined by the file system and by the local code set. For Windows, file names cannot contain these characters: a backward slash (\), a colon (:), a question mark (?), or double quotation marks ("). The default fully qualified path is: v UNIX or Linux: SMS_install_dir/etc/lastLogin.jsp v Windows: SMS_install_dir\etc\lastLogin.jsp
416
Table 32. install_amsms configuration options (continued). * indicates a required option. Configuration Options Policy server host name * Description Specifies the existing host name or IP address of the Tivoli Access Manager policy server (or policy proxy server). The policy server manages the policy database (sometimes referred to by its original name of master authorization database), updates the database replicas whenever a change is made to the master database, and replicates the policy information throughout the domains. The policy server also maintains location information about the resource managers operating in the domain. There must be at least one policy server defined for each domain. The dot (.) cannot be the last character of the host name. Examples: pdmgr pdmgr.tivoli.com Policy server SSL port * Specifies the port number on which the policy server listens for SSL requests. Use the default port number, which is server-dependent. The default port number is 7135 Specifies the name of an existing Tivoli Access Manager domain. A domain consists of all the resources that require protection along with the associated security policy that is used to protect those resources. A resource can be any physical or logical entity, including objects such as files, directories, Web pages, printer and network services, and message queues. The default domain enforces security policies for authentication, authorization, and access control. Any security policy that is implemented in a domain affects only those objects in that domain. Users with authority to perform tasks in one domain do not necessarily have authority to perform those tasks in other domains. The default domain name is Default Specifies the identifier for an existing administrator account for the Tivoli Access Manager domain. The default administrator ID is sec_master Specifies the password that is associated with the specified Tivoli Access Manager administrator ID. This administrator password was created when you created the administrator account. Basic authentication requires the Tivoli Access Manager administrator to enter a valid user name and password before access to a secure online resource can be granted. Specifies the administrator's ability to refresh IBM Tivoli Access Manager credentials. Enter the credential attribute for which you want to create a credential refresh rule in the Pattern field; for example, tagvalue_last_refresh_time. To refresh the credential attribute if it is updated during a session, select the refresh radio button. To retain the attribute if it is updated during a session, select the preserve radio button. Click Add rule to add the credential rule. The order of credential rules in the credential list is important. The first credential rule takes precedence over any subsequent rule.
Tivoli Access Manager domain *
Tivoli Access Manager administrator ID * Tivoli Access Manager administrator password *
New rule
417
Table 32. install_amsms configuration options (continued). * indicates a required option. Configuration Options Remove rule Use existing Tivoli authorization server Description Specifies whether to remove a credential refresh rule, select it and click Remove rule. Specifies whether to use an existing Tivoli authorization server. When enabled, you will be required to supply the authorization server host name and port. When disabled, you will be prompted for further information which is required to install a new authorization server. By default, this option is enabled. Specifies the existing fully qualified host name or IP address of the authorization server to be used by IBM Tivoli Access Manager. The host name value is an alphanumeric, case-insensitive string. String values should be characters that are part of the local code set. The dot (.) cannot be the last character of the host name. Examples: pdacld or pdacld.tivoli.com Specifies the port number on which the authorization server is listening for SSL requests. A valid port number is any positive number that is allowed by TCP/IP and that is not currently being used by another server. Use the default port number, which is server-dependent. The default port number 7136. Specifies the Session Management Server components which are to be deployed to the IBM WebSphere Application Server. The valid components are: v An instance of the Session Management Server application. This component provides the web service interface for the Session Management Server. v An instance of the Session Management Server configuration and administration console. This component is deployed to the Integrated Solutions Console for the IBM WebSphere Application Server. It can be used to configure and administer Session Management Server instances. Enable recording of auditing information Select the check box to enable the recording of auditing information. When enabled, you will be prompted for a properties file which contains the auditing configuration information. Default: The check box is not selected (disabled). Auditing properties file with full path Specifies the fully qualified path where the properties file for the auditing configuration is located. The fully qualified path and file name value represents an alphanumeric string. String values should be characters that are part of the local code set. The set of characters that are permitted in a file name can be determined by the file system and by the local code set. For Windows, file names cannot contain these characters: a backward slash (\), a colon (:), a question mark (?), or double quotation marks ("). To specify the auditing properties file, perform one of the following tasks: v Type a new fully qualified path location. v Browse for and choose an existing properties file.
Authorization server host name*
Authorization server SSL port*
Components*
418
Table 32. install_amsms configuration options (continued). * indicates a required option. Configuration Options Integration with Tivoli Access Manager enabled Description Select the check box if IBM Tivoli Access Manager integration with the deployed Session Management Server has been enabled. Default: The check box is selected (enabled). Tivoli Access Manager administrator ID Specifies the identifier for an existing administrator account for the IBM Tivoli Access Manager domain. The administrator ID is an alphanumeric, case-insensitive string. String values should be characters that are part of the local code set. Default: sec_master Tivoli Access Manager administrator password Specifies the password that is associated with the specified IBM Tivoli Access Manager administrator ID. This administrator password was created when you created the administrator account. Basic authentication requires the IBM Tivoli Access Manager administrator to enter a valid user name and password before access to a secure online resource can be granted. The administrator password is an alphanumeric, case-sensitive string. String values should be characters that are part of the local code set.
419
install_amsmscli
Table 33 lists additional options prompted for during installation using the install_amsmscli wizard as instructed in Installing using the installation wizard on page 282. Note: You might not see all of the configuration options if a runtime or prerequisite component has already been installed or if you are not configuring for SSL.
Table 33. install_amsmscli configuration options. * indicates a required option. Configuration Options Directory name * (for the IBM Global Security Kit (GSKit) prompted on Windows only) Description Specifies the IBM Global Security Kit (GSKit) installation directory if not already installed. The default directory is: C:\Program Files\ibm\gsk7 Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX: /usr/opt/ibm/gsksa and /usr/opt/ibm/gskta v HP-UX and Solaris: /opt/ibm/gsk7 v HP-UX on Integrity On 32-bit: /opt/ibm/gsk7_32 On 64-bit: /opt/ibm/gsk7_64 v Linux: /usr/local/ibm/gsk7 Directory name * (for the IBM Tivoli Directory Server client prompted on Windows only) Specifies the IBM Tivoli Directory Server client installation directory if not already installed. The default directory is: C:\Program Files\ibm\LDAP Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX and Linux: /usr/ldap v HP-UX and Solaris: /opt/IBM/V6.1 Specifies the IBM Tivoli Security Utilities installation Directory name * (for the IBM Tivoli Security directory. The default directory is: Utilities C:\Program Files\Tivoli\Policy Director prompted on Windows only) Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX and Linux: /opt/IBM/Tivoli/SecUtilities Directory name * (for the Access Manager Runtime prompted on Windows only) Specifies the Access Manager Runtime installation directory. The default directory is: C:\Program Files\Tivoli\Policy Director Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux:/opt/PolicyDirector
420
Table 33. install_amsmscli configuration options (continued). * indicates a required option. Configuration Options Enable Tivoli Common Directory for logging Description Select whether to enable Tivoli Common Directory. Selecting the check box means that you want to use the Tivoli Common Directory. If the check box is not selected, Tivoli Access Manager will write its message and trace log data to default locations that are defined by the Tivoli Access Manager product. Select the check box to enable IBM Tivoli Access Manager integration. Enabling IBM Tivoli Access Manager integration will make administration available through the IBM Tivoli Access Manager Administration framework. This framework includes a command line utility, pdadmin, as well as the IBM Tivoli Access Manager Administration API. If enabled, you will be prompted for further IBM Tivoli Access Manager configuration information. Specifies the fully qualified path for the Tivoli Common Directory. v If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed in the field but it cannot be modified. v If the location of the Tivoli Common Directory has not previously been established on the system, you can specify its location. If Tivoli Common Directory is enabled and the directory location has not been previously established, the default common directory name is: v Windows: C:\Program Files\ibm\tivoli\common v UNIX or Linux: /var/ibm/tivoli/common Beneath the Tivoli Common Directory, each Tivoli product stores its information in a product-specific subdirectory. Each product-specific directory is named with a 3-character identifier. For example, for IBM Tivoli Access Manager: tivoli_common_dir/HPD See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for a complete list of 3-character identifiers. If Tivoli Common Directory is not enabled, Tivoli Access Manager will write its message and trace log data to the following location: v Windows: C:\Program Files\Tivoli\Policy Director\log v UNIX or Linux: /var/PolicyDirector/log Directory name * (for the Access Manager Session Management Command Line prompted on Windows only) Specifies the Tivoli Access Manager session management command line installation directory. The default directory is: C:\Program Files\Tivoli\PDSMSAlthough you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux:/opt/PolicyDirector/PDSMS
Enable integration with Tivoli Access Manager
421
Table 33. install_amsmscli configuration options (continued). * indicates a required option. Configuration Options Description
Web service host and port * Specifies the host name and port number for the Tivoli Access Manager session management server (SMS) Web service. For example: sms.ibm.com:8080 To specify the host and port information, use the form: hostname:port_number To specify multiple host names and port numbers, use the form: hostname1:port_number1,hostname2: port_number2... Enable SSL with the SMS Web service Select the check box to enable SSL communication. You can enable SSL to protect information, such as user passwords and private data. However, SSL is not required for Tivoli Access Manager to operate. SSL allows the data, which is transmitted between the Tivoli Access Manager session management command line and the SMS Web service, to be encrypted to provide data privacy and integrity. Default: enabled (check box is selected)
422
Table 33. install_amsmscli configuration options (continued). * indicates a required option. Configuration Options SSL key file with full path * Description Specifies the fully qualified path where the existing SSL client key file is located. The key file holds the client-side certificates that are used in SSL communication. The key file is used when communicating with the IBM Tivoli Access Manager session management server. The file extension is always .kdb. For example: c:\keytab\mykeys.kdb If you plan to enable SSL, copy the SSL key file to any directory on your local system. This key file must be obtained (copied) from the Web service, such as IBM WebSphere Application Server. SSL stash file with full path Specifies the fully qualified path where the existing SSL client * key stash file is located. Typically, the stash file has the same location and file name as the key file. The file extension is always .sth. For example: c:\keytab\mykeys.sth If a password stash file is associated with the key file, the password is obtained from the password stash file. A stash file can be used by some applications so that the application does not have to know the password to use the key file. Certificate label Specifies the label for the SSL client certificate. This label is valid only when SSL is being used and when the Web service has been configured to require client authentication. The certificate label is any alphanumeric, case-sensitive string that you choose. String values should be characters that are part of the local code set. For example: PDSMS Use a certificate label to distinguish between multiple certificates within the SSL key file or when using a certificate other than the default certificate in the key file. Otherwise, leave this field blank.
423
install_amweb
Table 34 lists additional options prompted for during installation using the install_amweb wizard as instructed in Installing using the installation wizard on page 267. Note: You might not see all of the configuration options if a runtime or prerequisite component has already been installed or if you are not configuring for SSL.
Table 34. install_amweb configuration options. * indicates a required option. Configuration Options Registry * Description Select to specify the type of registry server that has been set up for Tivoli Access Manager. LDAP is the default. The Tivoli Access Manager WebSEAL installation wizard (install_amweb) first prompts you for Access Manager Runtime configuration options based on the type of registry server. For descriptions of these configuration options, see one of the following runtimes: v Access Manager Runtime (LDAP) on page 378 v Access Manager Runtime (Active Directory) on page 382 v Access Manager Runtime (Domino) on page 389 Specifies the IBM Global Security Kit (GSKit) installation Directory name * (for the IBM Global Security directory if not already installed. The default directory is: Kit (GSKit) C:\Program Files\ibm\gsk7 prompted on Windows only) Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX: /usr/opt/ibm/gsksa and /usr/opt/ibm/gskta v HP-UX and Solaris: /opt/ibm/gsk7 v HP-UX on Integrity On 32-bit: /opt/ibm/gsk7_32 On 64-bit: /opt/ibm/gsk7_64 v Linux: /usr/local/ibm/gsk7 Directory name * (for the IBM Tivoli Directory Server client prompted on Windows only) Specifies the IBM Tivoli Directory Server client installation directory if not already installed. The default directory is: C:\Program Files\ibm\LDAP Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX and Linux: /usr/ldap v HP-UX and Solaris: /opt/IBM/V6.1 Directory name * (for the IBM Tivoli Security Utilities prompted on Windows only) Specifies the IBM Tivoli Security Utilities installation directory. The default directory is: C:\Program Files\Tivoli\Policy Director Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX and Linux: /opt/IBM/Tivoli/SecUtilities
424
Table 34. install_amweb configuration options (continued). * indicates a required option. Configuration Options Directory name * (for the Access Manager Runtime prompted on Windows only) Description Specifies the Access Manager Runtime installation directory. The default directory is: C:\Program Files\Tivoli\Policy Director Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux:/opt/PolicyDirector Enable Tivoli Common Directory for logging Select whether to enable Tivoli Common Directory. Selecting the check box means that you want to use the Tivoli Common Directory. If the check box is not selected, Tivoli Access Manager will write its message and trace log data to default locations that are defined by the Tivoli Access Manager product. Specifies the fully qualified path for the Tivoli Common Directory. v If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed in the field but it cannot be modified. v If the location of the Tivoli Common Directory has not previously been established on the system, you can specify its location. If Tivoli Common Directory is enabled and the directory location has not been previously established, the default common directory name is: v Windows: C:\Program Files\ibm\tivoli\common v UNIX or Linux: /var/ibm/tivoli/common Beneath the Tivoli Common Directory, each Tivoli product stores its information in a product-specific subdirectory. Each product-specific directory is named with a 3-character identifier. For example, for IBM Tivoli Access Manager: tivoli_common_dir/HPD See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for a complete list of 3-character identifiers. If Tivoli Common Directory is not enabled, Tivoli Access Manager will write its message and trace log data to the following location: v Windows: C:\Program Files\Tivoli\Policy Director\log v UNIX or Linux: /var/PolicyDirector/log
Directory name *
425
Table 34. install_amweb configuration options (continued). * indicates a required option. Configuration Options Policy server host name * Description Specifies the host name or IP address of the Tivoli Access Manager policy server (pdmgrd). The policy server manages the policy database (sometimes referred to by its original name of master authorization database), updates the database replicas whenever a change is made to the master database, and replicates the policy information throughout the domains. The policy server also maintains location information about other resource managers operating in the domain. There must be at least one policy server defined for each domain. For example: pdmgr pdmgr.tivoli.com Policy server SSL port * Policy server CA certificate file Specifies the port number on which the policy server listens for SSL requests. The default port number is 7135. Specifies the name of the policy server certificate file that is used by the certificate authority (CA), which is the Tivoli Access Manager certificate authority (PDCA). Configuration of the Tivoli Access Manager policy server creates and saves a default SSL base64-encoded, certificate authority file named pdcacert.b64. Note that the SSL key file and certificate are created using FIPS approved algorithms. To obtain this file, do one of the following tasks: v During configuration of Access Manager Runtime, if you leave this field blank, the pdcacert.b64 file will be automatically downloaded. v Manually copy the pdcacert.b64 file to the Tivoli Access Manager system before configuring the Access Manager Runtime component. You must distribute this file to each machine in your secure domain. It is needed for successful configuration. The default location is: v Windows: C:\Program Files\Tivoli\Policy Director\keytab\pdcacert.b64 v UNIX or Linux: /var/Policy Director/keytab/pdcacert.b64 Domain * Specifies the name of the Tivoli Access Manager default domain, which is known as the management domain. This domain is created when the policy server is configured. The default domain enforces security policies for authentication, authorization, and access control. Any security policy that is implemented in a domain affects only those objects in that domain. Users with authority to perform tasks in one domain do not necessarily have authority to perform those tasks in other domains. The default domain name is Default. The installation wizard detects and fills in the host name of your system. Specifies the fully qualified name or IP address of the host system on which the policy proxy server is to be located. For example: dana.tivoli.com Registry server host name * Specifies the host name or IP address of the registry server. You can specify the fully qualified host name with or without the domain extension. Examples: registryserver or registryserver.tivoli.com
Local host name *
426
Table 34. install_amweb configuration options (continued). * indicates a required option. Configuration Options Registry server port * Directory name * (for the Web security runtime prompted on Windows only) Description Specifies the port number on which the registry server listens for requests. The default port number is 389. Specifies the Web security runtime installation directory. The default directory is: C:\Program Files\Tivoli\PDWebRTE Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux: /opt/pdwebrte Directory name * (for WebSEAL prompted on Windows only) Specifies the WebSEAL installation directory. The default directory is: C:\Program Files\Tivoli\PDWeb Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux: /opt/pdweb WebSEAL instance name * Specifies the fully qualified host name that is used by the policy server to contact the Tivoli Access Manager WebSEAL instance. The instance name must not exceed 20 characters. The default instance name is default (lowercase). Select the check box to use a logical network interface and to be prompted for the IP address of the logical network interface. If not selected, Tivoli Access Manager is not configured for the logical network interface (the default value). Specifies the IP address for the Tivoli Access Manager WebSEAL instance when using a logical network interface. Note that Tivoli Access Manager does not support prefix notation for a netmask. Note: Both the IPv4 and IPv6 formats can be used for IP addresses. Refer to the Request for Comment standard to determine what constitutes a valid representation of an IPv6 address. Specifies the fully qualified local host name of the machine on which WebSEAL will run. For example: webseal1.tivoli.com Specifies the port number on which WebSEAL listens for requests. The default WebSEAL listening port number is 7234. Specifies the administrator identifier of the Tivoli Access Manager management domain. The default administrator ID is sec_master. Specifies the password for the Tivoli Access Manager administrator ID. Specifies whether to enable HTTP access. If selected, you will be prompted to specify the HTTP port number. HTTP access is enabled by default.
Enable logical network interface
IP address
WebSEAL host name *
WebSEAL listening port *
Tivoli Access Manager administrator ID * Tivoli Access Manager administrator password * Enable HTTP access
427
Table 34. install_amweb configuration options (continued). * indicates a required option. Configuration Options Enable HTTPS access Description Specifies whether to enable HTTPS access. If selected, you will be prompted to specify the HTTPS port number. HTTPS access is enabled by default. Specifies the port number on which HTTP access is allowed. The default port number is 80. Specifies the port number on which HTTPS access is allowed. The default port number is 443. Specifies the root directory where Web document resources will be created and secured by Tivoli Access Manager WebSEAL. When the first WebSEAL instance is configured, the default server instance name is default. When no value for the root directory is supplied, the default directory path includes the default instance name, prefixed by www-. The default directories are: v UNIX or Linux: /opt/pdweb/www-default/docs v Windows: C:\Progam Files\Tivoli\PDWeb\\wwwdefault\docs Enable SSL with the LDAP server Select the check box to enable encrypted Secure Sockets Layer (SSL) connections with the LDAP server. Note: You must first configure the registry server for SSL access. Default: enabled (check box is selected)
HTTP port * HTTPS port * Web Document root directory *
428
Table 34. install_amweb configuration options (continued). * indicates a required option. Configuration Options Description
You can enable SSL with the registry server. If SSL is enabled, you are prompted for the next four values: SSL key file with full path * Specifies the fully qualified path where the existing SSL client key file is located. The key file holds the client-side certificates that are used in SSL communication. The file extension is always .kdb. The SSL key file and password are usable if the registry server has been installed and configured using the install_ldap_server installation wizard. If the SSL key file has been generated by the installation wizard, the full path and key file name is either C:\Program Files\IBM\LDAP\V6.1\ lib\am_key.kdb or the path and SSL key file name that was specified. If enabling SSL using an existing SSL key file, copy the SSL key file from the registry server system to any directory on your local system. SSL key file password * The existing password that is associated with the specified SSL key file. The client key file password was set when the key file was first created. Change this password by using the IBM Global Security Kit (GSKit) utility gsk7ikm. If changed, remember this password. Specifies the label for the SSL client certificate. This label is valid only when SSL is being used and when the LDAP server has been configured to require client authentication. For example: PDLDAP. Use a certificate label to distinguish between multiple certificates within the SSL key file or when using a certificate other than the default certificate in the key file. Otherwise, leave this field blank. SSL port * Specifies the port number on which the LDAP server listens for SSL requests. The default port number is 636.
Certificate label
429
install_amwebadk
Table 35 lists additional options prompted for during installation using the install_amwebadk wizard as instructed in Installing using the installation wizard on page 259. Note: You might not see all of the configuration options if a runtime or prerequisite component has already been installed or if you are not configuring for SSL.
Table 35. install_amwebadk configuration options. * indicates a required option. Configuration Options Registry * Description Select to specify the type of registry server that has been set up for Tivoli Access Manager. LDAP is the default. The Tivoli Access Manager Web Security development (ADK) system wizard (install_amwebadk) first prompts you for Access Manager Runtime configuration options based on the type of registry server. For descriptions of these configuration options, see one of the following runtimes: v Access Manager Runtime (LDAP) on page 378 v Access Manager Runtime (Active Directory) on page 382 v Access Manager Runtime (Domino) on page 389 Directory name * (for the IBM Global Security Kit (GSKit) prompted on Windows only) Specifies the IBM Global Security Kit (GSKit) installation directory if not already installed. The default directory is: C:\Program Files\ibm\gsk7 Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX: /usr/opt/ibm/gsksa and /usr/opt/ibm/gskta v HP-UX and Solaris: /opt/ibm/gsk7 v HP-UX on Integrity On 32-bit: /opt/ibm/gsk7_32 On 64-bit: /opt/ibm/gsk7_64 v Linux: /usr/local/ibm/gsk7 Directory name * (for the IBM Tivoli Directory Server client prompted on Windows only) Specifies the IBM Tivoli Directory Server client installation directory if not already installed. The default directory is: C:\Program Files\ibm\LDAP Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX and Linux: /usr/ldap v HP-UX and Solaris: /opt/IBM/V6.1 Directory name * (for the IBM Tivoli Security Utilities prompted on Windows only) Specifies the IBM Tivoli Security Utilities installation directory. The default directory is: C:\Program Files\Tivoli\Policy Director v UNIX and Linux: /opt/IBM/Tivoli/SecUtilities
430
Table 35. install_amwebadk configuration options (continued). * indicates a required option. Configuration Options Directory name * (for the Access Manager Runtime prompted on Windows only) Description Specifies the Access Manager Runtime installation directory. The default directory is: C:\Program Files\Tivoli\Policy Director Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux:/opt/PolicyDirector Enable Tivoli Common Directory for logging Select whether to enable Tivoli Common Directory. Selecting the check box means that you want to use the Tivoli Common Directory. If the check box is not selected, Tivoli Access Manager will write its message and trace log data to default locations that are defined by the Tivoli Access Manager product. Specifies the fully qualified path for the Tivoli Common Directory. v If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed in the field but it cannot be modified. v If the location of the Tivoli Common Directory has not previously been established on the system, you can specify its location. If Tivoli Common Directory is enabled and the directory location has not been previously established, the default common directory name is: v Windows: C:\Program Files\ibm\tivoli\common v UNIX or Linux: /var/ibm/tivoli/common Beneath the Tivoli Common Directory, each Tivoli product stores its information in a product-specific subdirectory. Each product-specific directory is named with a 3-character identifier. For example, for IBM Tivoli Access Manager: tivoli_common_dir/HPD See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for a complete list of 3-character identifiers. If Tivoli Common Directory is not enabled, Tivoli Access Manager will write its message and trace log data to the following location: v Windows: C:\Program Files\Tivoli\Policy Director\log v UNIX or Linux: /var/PolicyDirector/log
431
Table 35. install_amwebadk configuration options (continued). * indicates a required option. Configuration Options Policy server host name * Description Specifies the host name or IP address of the Tivoli Access Manager policy server (pdmgrd). The policy server manages the policy database (sometimes referred to by its original name of master authorization database), updates the database replicas whenever a change is made to the master database, and replicates the policy information throughout the domains. The policy server also maintains location information about other resource managers operating in the domain. There must be at least one policy server defined for each domain. For example: pdmgr pdmgr.tivoli.com Policy server SSL port * Policy server CA certificate file Specifies the port number on which the policy server listens for SSL requests. The default port number is 7135. Specifies the name of the policy server certificate file that is used by the certificate authority (CA), which is the Tivoli Access Manager certificate authority (PDCA). Configuration of the Tivoli Access Manager policy server creates and saves a default SSL base64-encoded, certificate authority file named pdcacert.b64. Note that the SSL key file and certificate are created using FIPS approved algorithms. To obtain this file, do one of the following tasks: v During configuration of Access Manager Runtime, if you leave this field blank, the pdcacert.b64 file will be automatically downloaded. v Manually copy the pdcacert.b64 file to the Tivoli Access Manager system before configuring the Access Manager Runtime component. You must distribute this file to each machine in your secure domain. It is needed for successful configuration. The default location is: v Windows: C:\Program Files\Tivoli\Policy Director\keytab\pdcacert.b64 v UNIX or Linux: /var/Policy Director/keytab/pdcacert.b64 Domain * Specifies the name of the Tivoli Access Manager default domain, which is known as the management domain. This domain is created when the policy server is configured. The default domain enforces security policies for authentication, authorization, and access control. Any security policy that is implemented in a domain affects only those objects in that domain. Users with authority to perform tasks in one domain do not necessarily have authority to perform those tasks in other domains. The default domain name is Default. The installation wizard detects and fills in the host name of your system. Specifies the fully qualified name or IP address of the host system on which the policy proxy server is to be located. For example: dana.tivoli.com Registry server host name * Specifies the host name or IP address of the registry server. You can specify the fully qualified host name with or without the domain extension. Examples: registryserver or registryserver.tivoli.com
Local host name *
432
Table 35. install_amwebadk configuration options (continued). * indicates a required option. Configuration Options Registry server port * Directory name * (for the Web security runtime prompted on Windows only) Description Specifies the port number on which the registry server listens for requests. The default port number is 389. Specifies the Web security runtime installation directory. The default directory is: C:\Program Files\Tivoli\PDWebRTE Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux: /opt/pdwebrte
433
install_amwebars
Table 36 lists configuration option descriptions for a Tivoli Access Manager Attribute Retrieval Service system. You are prompted for these options during configuration using the install_amwebars installation wizard as instructed in Installing using the installation wizard on page 219. Note: You might not see all of the configuration options if a runtime or prerequisite component has already been installed or if you are not configuring for SSL.
Table 36. install_amwebars configuration options. * indicates a required option. Configuration Options Directory name * (for IBM HTTP Server prompted on Windows only) Description Specifies the IBM HTTP Server installation directory. The default installation directory is: C:\Program Files\IBMHttpServer Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX: /usr/IBM/HTTPServer v All other UNIX or Linux platforms: /opt/IBM/HTTPServer Directory name * (for WebSphere Application Server prompted on Windows only) Specifies the WebSphere Application installation directory. The default installation directory is: C:\Program Files\IBM\WebSphere\AppServer Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX: /usr/IBM/WebSphere/AppServer v All other UNIX or Linux platforms: /opt/IBM/WebSphere/ AppServer Node name * Specifies the WebSphere node name that is used for administration. This name must be unique within its group of nodes (cell). The node host name is the DNS name or IP address of your local system. For example: wasserver1.tivoli.com or wasserver1 The installation wizard detects and fills in the host name of your system. Specifies the fully qualified local host name or IP address of the host machine on which the Access Manager Attribute Retrieval Service is to run. For example: dana.tivoli.com Local administrator ID * Specifies the identifier for the administrator account of the local host system on which you are logged on. On UNIX or Linux, this is root; on Windows, this is Administrator. Specifies the password for the administrator account of the local host system. This administrator password was created when you created your operating system administrator account. Specifies the installation directory for the Access Manager Attribute Retrieval Service component. The default installation directory is: c:\Program Files\Tivoli\PDWebARS
Local host name *
Local administrator password *
Directory name * (for Tivoli Access Manager Attribute Retrieval Service prompted on Windows only)
434
install_amwpi
The installation wizard for the Tivoli Access Manager plug-in for Web servers (install_amwpi) first prompts you for Access Manager Runtime configuration options based on the type of registry server. Table 37 lists additional options prompted for during installation using the install_amwpi wizard as instructed in Installing using the installation wizard on page 241. Note: You might not see all of the configuration options if a runtime or prerequisite component has already been installed or if you are not configuring for Secure Sockets Layer (SSL).
Table 37. install_amwpi configuration options. * indicates a required option. Configuration Options Description
Registry server host name * Specifies the host name or IP address of the registry server. You can specify the fully qualified host name with or without the domain extension. Examples: registryserver or registryserver.tivoli.com Registry server port * Policy server host name * Specifies the port number on which the registry server listens for requests. The default port number is 389. Specifies the host name or IP address of the Tivoli Access Manager policy server. The policy server manages the policy database (sometimes referred to by its original name of master authorization database), updates the database replicas whenever a change is made to the master database, and replicates the policy information throughout the domains. The policy server also maintains location information about other resource managers operating in the domain. There must be at least one policy server defined for each domain. For example: pdmgr pdmgr.tivoli.com Policy server port * Directory name * (for Plug-ins for Web Server Plug-in for IIS prompted on Windows only) Specifies the port number on which the policy server listens for requests. The default port number is 7135. Specifies the directory where you want to install the Tivoli Access Manager plug-in for Web servers. The default installation directory is:C:\Program Files\Tivoli\PDWebPI Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux: /opt/PDWebPI/bin Directory name * (for Web Security Runtime prompted on Windows only) Specifies the directory where the Access Manager Web Security Runtime is installed. The default installation directory for Windows is: C:\Program Files\Tivoli\PDWebRTE Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux: /opt/PDWebRTE Tivoli Access Manager administrator ID * Specifies the identifier for an existing administrator account for the Tivoli Access Manager domain. The default administrator ID is sec_master.
435
Table 37. install_amwpi configuration options (continued). * indicates a required option. Configuration Options Tivoli Access Manager administrator password * Description Specifies the password for the specified Tivoli Access Manager administrator ID. This administrator password was created when the administrator account was created. Basic authentication requires the Tivoli Access Manager administrator to enter a valid user name and password before access to a secure online resource can be granted. The installation wizard detects and fills in the host name of your system. Specifies the fully qualified name or IP address of the host system. When multiple host names are used, this field determines which host name is to be used by Tivoli Access Manager. The dot (.) cannot be the last character of the host name. For example: dana.tivoli.com Enable Tivoli Common Directory for logging Select whether to enable Tivoli Common Directory. Selecting the check box means that you want to use the Tivoli Common Directory. If the check box is not selected, Tivoli Access Manager will write its message and trace log data to default locations that are defined by the Tivoli Access Manager product. Specifies the fully qualified path for the Tivoli Common Directory. v If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed in the field but it cannot be modified. v If the location of the Tivoli Common Directory has not previously been established on the system, you can specify its location. If Tivoli Common Directory is enabled and the directory location has not been previously established, the default common directory name is: v Windows: C:\Program Files\ibm\tivoli\common v UNIX or Linux: /var/ibm/tivoli/common Beneath the Tivoli Common Directory, each Tivoli product stores its information in a product-specific subdirectory. Each product-specific directory is named with a 3-character identifier. For example, for IBM Tivoli Access Manager: tivoli_common_dir/HPD See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for a complete list of 3-character identifiers. If Tivoli Common Directory is not enabled, Tivoli Access Manager will write its message and trace log data to the following location: v Windows: C:\Program Files\Tivoli\Policy Director\log v UNIX or Linux: /var/PolicyDirector/log
Local host name *
436
Table 37. install_amwpi configuration options (continued). * indicates a required option. Configuration Options Web server Description Choose the type of Web server to be used with the Tivoli Access Manager plug-in for Web servers. The list displayed depends on the installation platform. Select one Web server from the list displayed. The Tivoli Access Manager plug-in for Web servers supports these servers and platforms: v IBM HTTP Server v Apache Web Server v Sun Java System Web Server v Microsoft Internet Information Services Note: The Web server selected must already be installed and configured. Web server configuration directory with full path * Specifies either the directory that contains the Web server configuration file or the Sun Java System Web Servers installation root directory, depending on the type of Web server to be installed. The set of characters permitted in a directory or file name can be determined by the file system and by the local code set. The default locations depend on the installation platform. The default directories are: v Apache Web Server on AIX, Linux (System z), or Solaris: /usr/local/apache/conf v IBM HTTP Server on AIX: /usr/HTTPServer/conf v IBM HTTP Server on Linux (x86 or System z): /opt/IBMHTTPServer/conf v IBM HTTP Server on Solaris: /opt/IBMHTTPD/conf v Sun Java System Web Server on AIX and Solaris: /opt/SUNWwbsvr Enable SSL with the registry server Select the check box to enable SSL communication. You can enable SSL to protect information, such as user passwords and private data. However, SSL is not required for Tivoli Access Manager to operate. SSL allows the data, which is transmitted between the IBM Tivoli Access Manager plug-in for Web servers and the registry server, to be encrypted to provide data privacy and integrity. Note: You must first configure the registry server for SSL access.Default: enabled (The check box is selected.)
If SSL is enabled, you are prompted for the following values: SSL key file with full path * Specifies the fully qualified path where the existing SSL client key file is located. Use the SSL key file to handle certificates that are used in SSL communication with the registry server. The signer of the SSL certificate must be recognized as a trusted certificate authority in the client key database. Any file extension can be used, but the file extension is normally .kdb. For example: c:\keytab\mykeys.kdb If you plan to enable SSL, copy the SSL key file to any directory on your local system. This key file must be obtained (copied) from the registry server.
437
Table 37. install_amwpi configuration options (continued). * indicates a required option. Configuration Options SSL key file password * Description Specifies the password that is associated with the existing SSL key file. Remember this password if the gsk7ikm utility is used to change the SSL key file password. Specifies the label for the SSL client certificate. This label is valid only when SSL is being used and when the LDAP server has been configured to require client authentication. For example: DANASSLKEY. Use a certificate label to distinguish between multiple certificates within the SSL key file or when using a certificate other than the default certificate in the key file. Otherwise, leave this field blank. SSL port * Specifies the port number on which the registry server listens for SSL requests. SSL communication takes place between the IBM Tivoli Access Manager Web server and the registry server. A valid SSL port number is any positive number that is allowed by TCP/IP but is not currently being used by another application. The default port number is 636.
Certificate label
438
install_amwpm
Table 38 lists configuration option descriptions for a Tivoli Access Manager Web Portal Manager system. You are prompted for these options during configuration using the install_amwpm installation wizard as instructed in Installing using the installation wizard on page 201. Note: You might not see all of the configuration options if a runtime or prerequisite component has already been installed or if you are not configuring for SSL.
Table 38. install_amwpm configuration options. * indicates a required option. Configuration Options Directory name * (for IBM HTTP Server prompted on Windows only) Description Specifies the IBM HTTP Server installation directory. The default directory is: C:\Program Files\IBM HTTP Server Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX: /usr/HTTPServer v HP-UX , Linux and Solaris: /opt/IBMHTTPServer Directory name * (for IBM WebSphere Application Server prompted on Windows only) * Specifies the IBM WebSphere Application Server installation directory. The default directory is: C:\Program Files\IBM\WebSphere\AppServer Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX: /usr/WebSphere/AppServer v HP-UX, Linux and Solaris: /opt/ IBM/WebSphere/ AppServer If a compatible version of WebSphere Application Server is detected by the wizard, you will be given the choice to use that version or have the wizard install a new one. If you choose to use the existing WebSphere Application Server, ensure you also have the plug-ins and HTTP server installed and working properly before continuing with the wizard. If you do not have a working HTTP server, choose the native install method to install the Web Portal Manager. Node name * Specifies the WebSphere node name that is used for administration. This name must be unique within its group of nodes (cell). The host name is the Distinguished Name Server (DNS) name or IP address of your local system. The installation wizard detects and fills in the host name of your system. Specifies the fully qualified name or IP address of the host system on which the Web Portal Manager is to be located. For example: dana.tivoli.com Local administrator ID * Specifies the administrator identifier with which you are logged on to your local system. (On UNIX or Linux, this is root; on Windows, this is Administrator)
Local host name *
439
Table 38. install_amwpm configuration options (continued). * indicates a required option. Configuration Options Local administrator password * Directory name * (prompted on Windows only) Description Specifies the password of the local administrator ID. Specifies the Access Manager Runtime for Java directory. The default directory is: C:\Program Files\Tivoli\Policy Director Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX and Linux: /opt/PolicyDirector Policy server host name * Specifies the host name or IP address of the Tivoli Access Manager policy server (pdmgrd). The policy server manages the policy database (sometimes referred to by its original name of master authorization database), updates the database replicas whenever a change is made to the master database, and replicates the policy information throughout the domains. The policy server also maintains location information about other resource managers operating in the domain. There must be at least one policy server defined for each domain. Examples: pdmgr pdmgr.tivoli.com Note: You are prompted for this option twice during configuration. Policy server SSL port * Specifies the port number on which the policy server listens for SSL requests. The default port number is 7135. Note: You are prompted for this option twice during configuration. Specifies the fully qualified path of the Java Runtime Environment (JRE) that is being configured for Tivoli Access Manager. The path is the JRE that was installed with WebSphere Application Server.
JRE directory *
Policy server administrator Specifies the administrator identifier of the Tivoli Access ID * Manager management domain. The default policy server administrative ID is sec_master. Policy server administrator Specifies the password for the Tivoli Access Manager password * administrator ID. Tivoli Access Manager domain * Web server * Specifies the name of the Tivoli Access Manager domain. The default domain name is Default, which indicates the management domain. Specifies the Web server which is used by WebSphere Application Server, either IBM HTTP Server or Microsoft Internet Information Services. Indicates that the Tivoli Access Manager authorization server is to be configured. Indicates that Secure Sockets Layer (SSL) security is to be enabled between Web Portal Manager and IBM WebSphere Application Server.
This Access Manager domain contains an authorization server Enable SSL with the IBM WebSphere Application Server
440
Table 38. install_amwpm configuration options (continued). * indicates a required option. Configuration Options Authorization server host name * Authorization server port * IBM WebSphere Application Server administrator ID * IBM WebSphere Application Server administrator password * Trust store file with full path * Trust store file password * SSL key file with full path * SSL keyfile password * Host name * Port * Description Specifies the host name or IP address of the Tivoli Access Manager authorization server. Specifies the port number used by the authorization server. The default port number is 7136. Specifies the ID of the IBM WebSphere Application Server administrator. Specifies the password for the IBM WebSphere Application Server administrator. Specifies the fully qualified path where the existing trust store file is located. Specifies the password for the trust store file. Specifies the fully qualified path to the existing SSL key file. The key file holds the client-side certificates used in SSL communications. Specifies the password associated with the SSL key file. Specifies the host name or IP address of the IBM WebSphere Application Server. Specifies the soap port used by the IBM WebSphere Application Server. The default port number is 8880. Note: Change this value only if the server is already configured to use a different port number. This process does not attempt to set this value for the server. Specifies the name of the application server or cluster where Web Portal Manager is to be deployed. Specifies the name of the Web server.
Application server or cluster name * Web server name
441
install_ldap_server
Table 39 lists configuration options for IBM Tivoli Directory Server and its prerequisite software. Notes: 1. Depending on whether you are installing on a Windows, UNIX, or Linux platform, you might be prompted for these options in a different sequence than listed. 2. You might not see all of the configuration options if a runtime or prerequisite component has already been installed or if you are not configuring for SSL.
Table 39. install_ldap_server configuration options.. * indicates a required option. Configuration Options Directory name * (for the IBM Global Security Kit (GSKit) prompted on Windows only) Description Specifies the IBM Global Security Kit (GSKit) installation directory. The default directory is: C:\Program Files\ibm\gsk7 Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v AIX: /usr/opt/ibm/gsksa and /usr/opt/ibm/gskta v HP-UX and Solaris: /opt/ibm/gsk7 v HP-UX on Integrity On 32-bit: /opt/ibm/gsk7_32 On 64-bit: /opt/ibm/gsk7_64 v Linux: /usr/local/ibm/gsk7 Specifies the IBM DB2 installation directory. The default Directory name * (for IBM DB2 prompted directory is: on C:\Program Files\IBM\SQLLIB Windows only) Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux: /opt/IBM/db2/V9.1 Directory name * (for IBM Tivoli Directory Server prompted on Windows only) Specifies the IBM Tivoli Directory Server installation directory. The default directory is: C:\Program Files\IBM\LDAP Although you will be prompted for the installation directory on Windows systems only, non-Windows systems have the following default installation directories: v UNIX or Linux: opt/IBM/ldap/V6.1
442
Table 39. install_ldap_server configuration options. (continued). * indicates a required option. Configuration Options DB2 administrator ID (also used for the instance name) * Description Specifies the identifier of the DB2 database owner ID (administrator) and also used as the LDAP server instance. The administrator ID owns the database instance where the DB2 database exists. The identity will be used for both the DB2 administrator ID and the DB2 database owner ID. On Windows platforms, the user must be a member of the Administrators group and must be in the same domain as the administrator ID. On UNIX or Linux platforms, the user must have a home directory and must be the owner of the home directory. For example, ldapdb2 (UNIX) or db2admin (Windows). For guidelines, see Preinstallation requirements on page 54. DB2 administrator password * Group for the DB2 administrator (UNIX) Specifies the password for the DB2 database owner ID that you created when you configured IBM DB2. The password must be set correctly and ready to use. A list of the names of all the existing groups that the user root is currently a member of. The default group is bin.
Create the DB2 Prior to installation, you can create a DB2 database owner ID. administrator if it does not If the check box is not selected, the DB2 administrator user already exist must already exist. Or, you must exit the installation wizard to create the account. Select the check box to specify whether the installation wizard should automatically create the DB2 administrator account. Default: enabled (The check box is selected.) Directory server database home * Specifies the fully qualified path where the DB2 database will be located. v Windows: C: v AIX and HP-UX: /home/ldapdb2 v Linux: /home/ldapdb2 v Solaris: /export/home/ldapdb2 DB2 database name * Specifies the name of the DB2 database. The database name can be anything you choose. The default is amdb.
443
Table 39. install_ldap_server configuration options. (continued). * indicates a required option. Configuration Options Encryption seed Description Specifies the seed that is used to create the key stash files for the IBM Tivoli Directory Server instance. This encryption seed is used to generate a set of Advanced Encryption Standard (AES) secret key values. These values are stored in the IBM Tivoli Directory Server instance key stash file and are used to encrypt and decrypt the IBM Tivoli Directory Server stored password and IBM Tivoli Directory Server secretkey attributes. The seed can be anything you choose. The encryption seed must contain only printable ISO-8859-1 ASCII characters with values in the range of 33 to 126, such as a-z, A-Z, and 0-9. For more specific information about what characters can be used, see the IBM Tivoli Directory Server installation and configuration documentation. The seed must be a minimum of 12 and a maximum of 1016 characters in length. For example: 0123456789012 Record the encryption seed in a secure location; you might need it if you export data to an LDIF file or regenerate the key stash file. Administrator ID * Specifies the administrator's distinguished name (DN), which as created when you configured the LDAP server. The administrator DN is the DN that is used by the administrator of the directory. This administrator is the one user who has full access to all data in the directory. The ID is also referred to as the bind DN. The default administrator ID is cn=root. Creates a new password for the LDAP administrator ID. Specifies the LDAP administrator ID password again for confirmation. Specifies a suffix to maintain user and group data. For example: o=ibm,c=us Specifies a type of format for LDAP objects that are used to maintain the user and group tracking information. This format is valid only for IBM Tivoli Access Manager Version 6.0 or later. Use this format if you want to reduce the size of your user registry information by using minimal user and group tracking information. Specifies a type of format for LDAP objects that are used to maintain the user and group tracking information. This format is valid only for IBM Tivoli Access Manager Version 6.0 or later. Use this format if you want to reduce the size of your user registry information by using minimal user and group tracking information. The installation wizard detects and fills in the host name of your system. Specifies the fully qualified name or IP address of the host system on which the LDAP server is to be located. For example: dana.tivoli.com
Administrator password * Password confirmation * (prompted on Windows only) User-defined suffix
Minimal
Standard
Local host name *
444
Table 39. install_ldap_server configuration options. (continued). * indicates a required option. Configuration Options Non-SSL port * SSL port * SSL key file with full path * Description Specifies the port number on which the LDAP server listens. The default port number is 389. Specifies the port number on which the LDAP server listens for SSL requests. The default port number is 636. Specifies the fully qualified path where the existing SSL client key file is located or, if the Create SSL key file check box is selected, where the newly created SSL key file will be located. The key file holds the client-side certificates that are used in SSL communication. The file extension is always .kdb. If the SSL key file is created automatically by the installation wizard, the full path and key file name is either C:\Program Files\IBM\LDAP\V6.1\lib\am_key.kdb or any path and SSL key file name that you choose. SSL key file password * Specifies the existing password that is associated with the specified SSL key file. The client key file password was set when the key file was first created. Change this password by using the IBM Global Security Kit (GSKit) utility gsk7ikm. If changed, remember this password. Specifies the label for the SSL client certificate. This label is valid only when SSL is being used and when the LDAP server has been configured to require client authentication. For example: PDLDAP. Use a certificate label to distinguish between multiple certificates within the SSL key file or when using a certificate other than the default certificate in the key file. Otherwise, leave this field blank. Create SSL key file Select the check box to create an SSL key file. The key file holds the client-side certificates that are used in SSL communication. The installation wizard uses IBM Global Security Kit (GSKit) to generate the certificate and the SSL key file. Default: enabled (The check box is selected). Enable Federal Information Select the check box to enable Federal Information Processing Standards (FIPS). The installation wizard creates all keys and Processing Standards certificates using FIPS-approved algorithms. When using a (FIPS) certificate from a certificate authority (CA), if FIPS enablement is required, make sure the certificate was generated with FIPS-approved algorithms. By selecting this check box, the IBM Tivoli Directory Server will be configured to use the appropriate FIPS secure communications protocol. Default: not enabled (The check box is not selected.)
Certificate label
445
446

This section lists descriptions of options that you are prompted for during configuration of Tivoli Access Manager components using the pdconfig utility. Depending on whether you are installing on a Windows, UNIX, or Linux platform, you might be prompted for these options in a different sequence than listed. Tivoli Access Manager packages that require configuration are as follows: v Access Manager Runtime LDAP on page 448 v Access Manager Runtime Active Directory on page 451 v Access Manager Runtime Domino on page 455 v Access Manager Attribute Retrieval Service on page 457 v Access Manager Authorization Server on page 458 v Access Manager Runtime for Java on page 459 v Access Manager Plug-in for Edge Server on page 461 v Access Manager Plug-in for Web Servers on UNIX on page 462 v v v v v Access Access Access Access Access Manager Manager Manager Manager Manager Plug-in for Web Servers on Windows on page 464 Policy Server on page 465 Policy Proxy Server on page 467 Web Portal Manager on page 468 WebSEAL on page 471
447
Access Manager Runtime LDAP

Table 40 lists options prompted for during configuration of the Access Manager Runtime package using an LDAP registry.
Table 40. Access Manager Runtime configuration options LDAP. * indicates a required option. Configuration option Will the policy server be installed on this machine Enable Tivoli Common Directory for logging Directory Name (for Tivoli Common Directory) Description Indicates whether the policy server will be installed on the same machine. Select to enable Tivoli Common Directorya central location on systems running Tivoli software for storing files, such as trace and message logs. Specifies the fully qualified path for the Tivoli Common Directory. v If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed in the field but it cannot be modified. v If the location of the Tivoli Common Directory has not previously been established on the system, you can specify its location. If Tivoli Common Directory is enabled and the directory location has not been previously established, the default common directory names are: v Windows: C:\Program Files\ibm\tivoli\ common v UNIX or Linux: /var/ibm/tivoli/common Beneath the Tivoli Common Directory, each Tivoli product stores its information in a product-specific subdirectory. Each product-specific directory is named with a 3-character identifier. For example, for IBM Tivoli Access Manager: tivoli_common_dir/HPD See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for a complete list of 3-character identifiers. If Tivoli Common Directory is not enabled, Tivoli Access Manager will write its message and trace log data to the following location: v Windows: C:\Program Files\Tivoli\Policy Director\log v UNIX or Linux: /var/PolicyDirector/log Registry LDAP server host name Specifies the type of registry server to be set up for Tivoli Access Manager. Select LDAP. Specifies the host name or IP address of the LDAP type of registry server. You can specify the fully qualified host name with or without the domain extension. Examples: ldapserver or ldapserver.tivoli.com
448
Table 40. Access Manager Runtime configuration options LDAP (continued). * indicates a required option. Configuration option LDAP server port Description Specifies the port number on which the LDAP type of registry server listens. The default port number is 389.
If the Tivoli Access Manager policy server is not installed on the same system as the Access Manager Runtime, you are prompted for the next two values: Policy server host name Specifies the host name or IP address of the Tivoli Access Manager policy server (pdmgrd). The policy server manages the policy database (sometimes referred to as master authorization database), updates the database replicas whenever a change is made to the master database, and replicates the policy information throughout the domains. The policy server also maintains location information about other resource managers operating in the domain. There must be at least one policy server defined for each domain. You can specify the fully qualified host name with or without the domain extension. Examples: pdmgr pdmgr.tivoli.com
Policy server SSL port
Specifies the port number on which the policy server listens for SSL requests. The default port number is 7135. Specifies the name of the Tivoli Access Manager default domain, which is also known as the management domain. This domain is created when the policy server is configured. The default domain enforces security policies for authentication, authorization, and access control. Any security policy that is implemented in a domain affects only those objects in that domain. Users with authority to perform tasks in one domain do not necessarily have authority to perform those tasks in other domains. The default value is Default, which indicates the management domain.
Domain
On systems other than Windows, you can enable SSL connections between this Tivoli Access Manager runtime system and the LDAP server. If selected, you are prompted for the next values: Non-SSL port * Port number * Specifies the port number on which the LDAP server listens. The default port number is 389. Specifies the port number on which the LDAP server listens for SSL requests. The default port number is 636.
449
Table 40. Access Manager Runtime configuration options LDAP (continued). * indicates a required option. Configuration option Key file with full path * Description Specifies the fully qualified path where the existing SSL client key file is located or, if the Create SSL key file check box is selected, where the newly created SSL key file will be located. The key file holds the client-side certificates that are used in SSL communication. The file extension is always .kdb. Copy the SSL key file to any directory on your local system. This key file must be obtained (copied) from the LDAP server. Key file password Specifies the existing password that is associated with the specified SSL key file. The client key file password was set when the key file was first created. Change this password by using the IBM Global Security Kit (GSKit) utility gsk7ikm. If changed, remember this password. Specifies the label for the SSL client certificate. This label is valid only when SSL is being used and when the LDAP server has been configured to require client authentication. For example: PDLDAP. Use a certificate label to distinguish between multiple certificates within the SSL key file or when using a certificate other than the default certificate in the key file. Otherwise, leave this field blank. Create SSL key file Select the check box to create an SSL key file. The key file holds the client-side certificates that are used in SSL communication. The installation wizard uses IBM Global Security Kit (GSKit) to generate the certificate and the SSL key file. Default: enabled (The check box is selected). Enable Federal Information Processing Select the check box to enable Federal Information Standards (FIPS) Processing Standards (FIPS). The installation wizard creates all keys and certificates using FIPS-approved algorithms. When using a certificate from a certificate authority (CA), if FIPS enablement is required, make sure the certificate was generated with FIPS-approved algorithms. By selecting this check box, the IBM Tivoli Directory Server will be configured to use the appropriate FIPS secure communications protocol. Note: All runtimes must set their configurations to match whether or not FIPS is enabled. The runtimes cannot be mixed. Default: not enabled (The check box is not selected).
Certificate label
450
Access Manager Runtime Active Directory

Table 41 lists options prompted for during configuration of the Access Manager Runtime package using an Active Directory registry.
Table 41. Access Manager Runtime configuration options Active Directory. * indicates a required option. Configuration option Registry Configure to Multiple Active Directory Domains Description Specifies the type of registry server to be set up for Tivoli Access Manager. Select Active Directory. Select the check box to configure multiple Active Directory domains. If not selected, Tivoli Access Manager is configured to a single domain. An example of multiple Microsoft Active Directory domain is an Tivoli Access Manager single domain with multiple Microsoft Active Directory domains. When configured for multiple Microsoft Active Directory domains, the command line displays the Tivoli Access Manager administrator ID (the default is sec_master) as secmaster@domain_name Default: not enabled (Tivoli Access Manager is configured to a single domain.) Active Directory host name * Specifies the Active Directory domain controller server name. For example: adserver.tivoli.com
Active Directory domain
Specifies the Active Directory domain name. If configured to multiple domains, the name will be displayed automatically. For example: dc=tivoli,dc=com Specifies whether encryption communication to Microsoft Active Directory should be used. When the check box is selected, Kerberos is used in the Microsoft Active Directory Service Interface (ADSI) to encrypt data in the connection to the Microsoft Active Directory server. This setting is equivalent to enabling an SSL connection in a system environment that uses the LDAP client to communicate with the Active Directory server. The default value is not enabled (Tivoli Access Manager is not configured for encryption)
Enable encrypted connections
Specify the location of the Access Manager Policy Server. If you select Access Manager Policy Server is installed on another machine, you are prompted for the host name and listening port values:
451
Table 41. Access Manager Runtime configuration options Active Directory (continued). * indicates a required option. Configuration option Host name Description Specifies the host name or IP address of the Tivoli Access Manager policy server (pdmgrd). The policy server manages the policy database (sometimes referred to as master authorization database), updates the database replicas whenever a change is made to the master database, and replicates the policy information throughout the domains. The policy server also maintains location information about other resource managers operating in the domain. There must be at least one policy server defined for each domain. You can specify the fully qualified host name with or without the domain extension. You can specify the fully qualified host name with or without the domain extension. Examples: pdmgr pdmgr.tivoli.com
Listening port
Specifies the port number on which the Tivoli Access Manager policy server listens for SSL requests. The default port number is 7135.
On systems where LDAP client is used to communicate with the Active Directory Server, you can enable SSL connections between the LDAP client and the Active Directory server. If Enable encrypted connections is selected, you are prompted for the next four values: Port number Specifies the port number on which the registry server listens for SSL requests. The default port number is 636. Specifies the fully qualified path where the existing SSL client key file is located or, if the Create SSL key file check box is selected, where the newly created SSL key file will be located. The key file holds the client-side certificates that are used in SSL communication. The file extension is always .kdb. This key file must be obtained using the gsk7ikm utility and the Active Directory server CA certificate. If the SSL key file is created automatically by the installation wizard, the full path and key file name is either C:\Program Files\IBM\LDAP\V6.1\lib\ am_key.kdb or any path and SSL key file name that you choose. If enabling SSL using an existing SSL key file, manually copy the SSL key file to any directory on your local system. This key file must be obtained (copied) from the LDAP server.
Key file with full path
452
Table 41. Access Manager Runtime configuration options Active Directory (continued). * indicates a required option. Configuration option Certificate label Description Specifies the label for the SSL client certificate. This label is valid only when SSL is being used and when the LDAP server has been configured to require client authentication. For example: PDLDAP. Use a certificate label to distinguish between multiple certificates within the SSL key file or when using a certificate other than the default certificate in the key file. Otherwise, leave this field blank. Key file password Specifies the existing password that is associated with the specified SSL key file. The client key file password was set when the key file was first created. Change this password by using the IBM Global Security Kit (GSKit) utility gsk7ikm. If changed, remember this password. Specifies the identifier for the administrator account of the Microsoft Active Directory domain. This administrator ID was created when the Microsoft Active Directory domain was created. This administrator ID should have been added to the groups of Administrators, Domain Administrators, enterprise Administrators, and Schema Administrators. Note that this administrator user account is for a Microsoft Active Directory user only, and not for a Tivoli Access Manager user. Specifies the password for the Microsoft Active Directory domain administrator ID. This administrator password was created when you created your Microsoft Active Directory administrator account. Enables the use of an email address as the userPrincipalname user ID. Specifies the Active Directory host name for the Global Catalog Server. Specifies the Active Directory Global Catalog port. For non-SSL enablement, the default is 3268. For SSL enablement, the default is 3269. Specifies the distinguished name that is used by Microsoft Active Directory to indicate where you want to store Tivoli Access Manager data. The default value is the input value for Active Directory Domain. For example: dc=tivoli,dc=com If Tivoli Access Manager is configured using multiple Active Directory domains, this value is automatically set to the value of the Active Directory primary domain. Note that this field is only prompted for input when the check box is not selected for Configure to Multiple Active Directory Domains. Enable Tivoli Common Directory for logging Select to enable Tivoli Common Directorya central location on systems running Tivoli software for storing files, such as trace and message logs.
Active Directory Administrator ID
Active Directory Administrator Password
Enable the use of e-mail address as user ID Global Catalog server host name (Active Directory LDAP mode only) Global Catalog server port (Active Directory LDAP mode only) Access Manager data location distinguished name
453
Table 41. Access Manager Runtime configuration options Active Directory (continued). * indicates a required option. Configuration option Directory Name (for Tivoli Common Directory) Description Specifies the fully qualified path for the Tivoli Common Directory. v If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed in the field but it cannot be modified. v If the location of the Tivoli Common Directory has not previously been established on the system, you can specify its location. If Tivoli Common Directory is enabled and the directory location has not been previously established, the default common directory names are: v Windows: C:\Program Files\ibm\tivoli\common v UNIX or Linux: /var/ibm/tivoli/common Beneath the Tivoli Common Directory, each Tivoli product stores its information in a product-specific subdirectory. Each product-specific directory is named with a 3-character identifier. For example, for IBM Tivoli Access Manager: tivoli_common_dir/HPD See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for a complete list of 3-character identifiers. If Tivoli Common Directory is not enabled, Tivoli Access Manager will write its message and trace log data to the following location: v Windows: C:\Program Files\Tivoli\Policy Director\log v UNIX or Linux: /var/PolicyDirector/log Directory name Specifies the log directory for the first Tivoli software product installed. The first time you configure Tivoli Common Directory, you can specify the directory where you want the log files to be located. Afterward, you can configure Tivoli software to use this directory.
If you are using Active Directory as your registry, an activedir.conf file is created in the following directory:
%PD_INSTALL_DIR%\etc
where PD_INSTALL_DIR is the directory where Tivoli Access Manager is installed and C:\Program Files\Tivoli\Policy Director is the default Windows directory.
454
Access Manager Runtime Domino

Table 42 lists options prompted for during configuration of the Access Manager Runtime package using a Lotus Domino registry.
Table 42. Access Manager Runtime configuration options Domino configuration options. * indicates a required option. Configuration option Registry Domino server name Description Specifies the type of registry server to be set up for Tivoli Access Manager. Select Domino. Specifies the fully qualified name of the IBM Lotus Domino server. For example: domino1/Austin/Tivoli
Notes client password
Specifies the password associated with the Notes client software administrative users ID file located on the IBM Lotus Domino server Specifies the name of the database located on the IBM Lotus Domino server that is associated with Tivoli Access Manager data. The default value is PDMdata.nsf. Specifies the fully qualified path for the Tivoli Common Directory. v If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed in the field but it cannot be modified. v If the location of the Tivoli Common Directory has not previously been established on the system, you can specify its location. If Tivoli Common Directory is enabled and the directory location has not been previously established, the default common directory name is: v Windows: C:\Program Files\ibm\tivoli\common v UNIX or Linux: /var/ibm/tivoli/common Beneath the Tivoli Common Directory, each Tivoli product stores its information in a product-specific subdirectory. Each product-specific directory is named with a 3-character identifier. For example, for IBM Tivoli Access Manager: tivoli_common_dir/HPD See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for a complete list of 3-character identifiers. If Tivoli Common Directory is not enabled, Tivoli Access Manager will write its message and trace log data to the following location: v Windows: C:\Program Files\Tivoli\Policy Director\log v UNIX or Linux: /var/PolicyDirector/log
Access Manager database name
Directory Name
455
Table 42. Access Manager Runtime configuration options Domino configuration options (continued). * indicates a required option. Configuration option Enable Tivoli Common Directory for logging Description Select the check box to enable Tivoli Common Directorya central location on systems running Tivoli software for storing files, such as trace and message logs.
Specify the location of the Access Manager Policy Server. If you select Access Manager Policy Server is installed on another machine, you are prompted for the host name and listening port values: Host name Specifies the host name or IP address of the Tivoli Access Manager policy server (pdmgrd). The policy server manages the policy database (sometimes referred to by its original name of master authorization database), updates the database replicas whenever a change is made to the master database, and replicates the policy information throughout the domains. The policy server also maintains location information about other resource managers operating in the domain. There must be at least one policy server defined for each domain. Examples: pdmgr pdmgr.tivoli.com
Listening port
Specifies the port number on which the Tivoli Access Manager policy server listens for SSL requests. The default port number is 7135. The IBM Lotus Notes name and address book (NAB) located in the IBM Lotus Domino directory on your server. The database file name is set at configuration time and cannot be changed. Default: names.nsf
Notes address book database name
456
Access Manager Attribute Retrieval Service

Table 43 lists options prompted for during configuration of the Access Manager Attribute Retrieval Service package.
Table 43. Access Manager Attribute Retrieval Service. * indicates a required option. Configuration option Node Name Description Specifies the WebSphere node name that is used for administration. This name must be unique within its group of nodes (cell). The host name is the DNS name or IP address of your local system. Specifies the fully qualified name of the host system on which the Access Manager Attribute Retrieval Service will be located. Specifies the administrator ID with which you are logged on. (On UNIX or Linux, this is root; on Windows, this is Administrator). Specifies the password of the local administrator.
Local Host Name
Local Admin ID
Local Admin Password
457
Access Manager Authorization Server

Table 44 lists options prompted for during configuration of the Access Manager Authorization Server package. Note: Configure the Access Manager Runtime package before configuring the Access Manager Authorization Server package.
Table 44. Access Manager Authorization Server configuration options. * indicates a required option. Configuration option Domain Description Specifies the domain name. The default value is Default, which indicates the management domain. Do not change this value. Specifies the host name used by the policy server to contact this server. The default value is the host name of the local system. Specifies the port number on which the policy server listens for requests. The default port number is 7135. Specifies the identifier for the Tivoli Access Manager administrator of the management domain. The default administrator ID is sec_master. Do not change this value. Specifies the password for the Tivoli Access Manager administrator ID. Specifies the fully qualified name of the host system on which the authorization server will be located. Specifies the administration request port. The default port is 7137. Specifies the authorization request port number. The default port number is 7136.
Policy server host name
Policy server port
Tivoli Access Manager administrator (or Administrator ID for domain Default) Password Local host name
Administration request port Authorization request port
458
Access Manager Runtime for Java

Table 45 lists options prompted for during configuration of the Access Manager Runtime for Java package.
Table 45. Access Manager Runtime for Java configuration options. * indicates a required option. Configuration option Configuration type Description To configure Access Manager Runtime for Java for use within the current Java Runtime Environment (JRE), select a configuration type: Full: Select if you are configuring Web Portal Manager or enabling Java applications to manage and use Tivoli Access Manager security. Stand-alone: Select if you are a developer using Runtime for Java classes. You are not prompted for policy server information. Full path of the Java Runtime Environment to configure for Tivoli Access Manager Specifies the path to IBM Java Runtime 1.4.2 provided with Tivoli Access Manager. For example: /usr/java15/jre If you are installing a Web Portal Manager system, ensure that you specify the Java Runtime Environment installed with IBM WebSphere Application Server. For example: /usr/WebSphere/AppServer/java/jre Host name of the Access Manager policy server machine Specifies the fully qualified host name of the policy server. For example: pdmgr.tivoli.com
Port number of the Access Manager policy server machine
Specifies the port number on which the policy server listens for SSL requests. The default port number is 7135.
Access Manager Policy Server domain null information Enable Tivoli Common Directory for logging Select to enable Tivoli Common Directorya central location on systems running Tivoli software for storing files, such as trace and message logs.
459
Table 45. Access Manager Runtime for Java configuration options (continued). * indicates a required option. Configuration option Directory name Description Specifies the fully qualified path for the Tivoli Common Directory. v If the location of the Tivoli Common Directory has previously been established on the system by the installation of another Tivoli application, the directory location will be displayed in the field but it cannot be modified. v If the location of the Tivoli Common Directory has not previously been established on the system, you can specify its location. If Tivoli Common Directory is enabled and the directory location has not been previously established, the default common directory name is: v Windows: C:\Program Files\ibm\tivoli\common v UNIX or Linux: /var/ibm/tivoli/common Beneath the Tivoli Common Directory, each Tivoli product stores its information in a product-specific subdirectory. Each product-specific directory is named with a 3-character identifier. For example, for IBM Tivoli Access Manager: tivoli_common_dir/HPD See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for a complete list of 3-character identifiers. If Tivoli Common Directory is not enabled, Tivoli Access Manager will write its message and trace log data to the following location: v Windows: C:\Program Files\Tivoli\Policy Director\log v UNIX or Linux: /var/PolicyDirector/log
460
Access Manager Plug-in for Edge Server

Table 46 lists options prompted for during configuration of the Access Manager Plug-in for Edge Server package. An installation wizard is not available.
Table 46. Access Manager Plug-in for Edge Server configuration options. * indicates a required option. Configuration option Port for Web Traffic Express
Description Specifies the port number for the Edge Server caching proxy. The default port is 80. Note: The Edge Server caching proxy is deprecated. Specifies the identifier for the Tivoli Access Manager administrator of the management domain. The default administrator ID is sec_master. Specifies the password for the Tivoli Access Manager administrator ID.
Access Manager administrator user ID Access Manager administrator user ID password
Note: On Windows systems, configuration of this plug-in for an Active Directory registry server requires an administrator password for the configuration tool to perform successfully.
461
Access Manager Plug-in for Web Servers on UNIX

Table 47 lists configuration options for the plug-in for Web Servers on UNIX platforms.
Table 47. Plug-in for Web Servers on UNIX. * indicates a required option. Configuration option Full path name to the directory containing the Web server configuration file Description Specifies the default installation path of the Web server. Accept this path or enter a new one. Note: For the Sun Java System Web Server, you are prompted for the root installation directory of the Sun Java System Web Server. Specifies the menu choice number or you can enter x to exit. You have three options: v If you want only one virtual host protected by the plug-in, enter the number that relates to the virtual host in the displayed list. v To secure more than one virtual host, enter values that relate to the positions of the virtual hosts in the displayed list. Separate the entered numbers by spaces. v Enter all to have the plug-in protect all the known virtual hosts on the server. Access Manager administrative user ID Specifies the identifier for the Tivoli Access Manager administrator of the management domain. The default administrator ID is sec_master. For Active Directory Multiple Domain, this is sec_master@domain_name. Specifies the password for the Tivoli Access Manager administrator ID. An authorization update is the transfer of policy information delta packets from the authorization policy server during the application operation. Enter the port number to listen for authorization updates or accept the default value of 7237.
Which virtual hosts are to be protected
Access Manager administrative user ID password Port number on which to listen for authorization policy updates
For LDAP registries on UNIX only, you are prompted whether to enable SSL communication. Enable SSL communication between the Tivoli Access Manager Plug-in for Web Servers authorization server and the LDAP server Enabling SSL is not necessary in environments where the Web server and registry server are located in the same secure network. If you can be sure of the integrity and security of data sent between the Web server and your registry, choosing not to use SSL improves network bandwidth by removing the security overhead.
If you enable SSL between the Tivoli Access Manager Plug-in for Web Servers authorization server and the LDAP server, you are prompted for the next four values:
462
Table 47. Plug-in for Web Servers on UNIX (continued). * indicates a required option. Configuration option Location of the LDAP SSL client key file Description Specifies where you want the client key file to be placed. The default location is /usr/ldap/lib/ ldapkey.kdb. Note: When Tivoli Access Manager Plug-in for Web servers is installed on the same machine as the policy server and configured with SSL to LDAP, the LDAP client file cannot be shared.UNIX file permissions are essential for protecting files from unauthorized access. The LDAP client key file can be shared if the permissions allow Plug-in users access to the file. Specifies the label in the client LDAP key database file of the client certificate to be sent to the server. This label is required only if the server is configured to require client authentication during SSL establishment or if you want to use a non-default certificate in your key file. Typically, the LDAP server requires only server-side certificates that were specified during creation of the client .kdb file. If the SSL client key file label is not required, leave this field blank. LDAP SSL client key file password Specifies the existing password that is associated with the specified SSL key file. The client key file password was set when the key file was first created. Change this password by using the IBM Global Security Kit (GSKit) utility gsk7ikm. If changed, remember this password. Specifies the port number on which the LDAP server listens for SSL requests. The default port number is 636.
SSL client certificate label
LDAP server SSL port number *
463
Access Manager Plug-in for Web Servers on Windows

Table 48 lists configuration options for the plug-in for Web Servers on Windows platforms.
Table 48. Plug-in for Web Servers on Windows. * indicates a required option. Configuration option Which virtual hosts are to be protected Access Manager administrative user ID * Description Specifies a list of virtual hosts that are to be protected. Select from the list to indicate which virtual hosts that you want to protect. Specifies the identifier for the Tivoli Access Manager administrator of the management domain. The default administrator ID is sec_master. For Active Directory Multiple Domain, this is sec_master@domain_name. Specifies the password for the Tivoli Access Manager administrator ID. Specifies the port number to listen for authorization updates. n authorization update is the transfer of policy information delta packets from the authorization policy server during the application operation. The default value is 7237.
Access Manager administrative user ID password * Port number on which to listen for authorization policy updates *
464
Access Manager Policy Server

Notes: 1. You are prompted to configure the Access Manager Runtime package before configuring the Access Manager Policy Server package. 2. If you reconfigure the Tivoli Access Manager policy server, you must also reconfigure Access Manager Runtime or Access Manager Runtime for Java to use the certificates for the new policy server. 3. The policy server is not supported on UNIX or Linux platforms for Active Directory or Domino registry servers.
Table 49. Access Manager Policy Server configuration options. * indicates a required option. Configuration option Access Manager administrator ID * Description Specifies the identifier for the Tivoli Access Manager administrator of the management domain. The default administrator ID is sec_master. For Active Directory Multiple Domain, this is sec_master@domain_name. Specifies the password for the Tivoli Access Manager administrator ID. Specify the Tivoli Access Manager administrative ID password again for confirmation. Specifies the port number on which the policy server listens for SSL requests. The default port number is 7135. Specifies the number of days that the SSL certificate file is valid. The default number of days is 365. Specifies the duration (in seconds) that an SSL connection waits for a response before timing out. The default number of seconds is 7200. Select the check box to enable Federal Information Processing Standards (FIPS). The installation wizard creates all keys and certificates using FIPS-approved algorithms. When using a certificate from a certificate authority (CA), if FIPS enablement is required, make sure the certificate was generated with FIPS-approved algorithms. By selecting this check box, the IBM Tivoli Directory Server will be configured to use the appropriate FIPS secure communications protocol. Note: All runtimes must set their configurations to match whether or not FIPS is enabled. The runtimes cannot be mixed. Default: not enabled (The check box is not selected).
Access Manager administrator password * Confirm password * Policy server SSL port *
SSL certificate lifecycle * SSL connection timeout *
Enable Federal Information Processing Standards (FIPS)
465
Table 49. Access Manager Policy Server configuration options (continued). * indicates a required option. Configuration option Management domain name Description The name of the management domain. The initial administrative domain created when the policy server is configured is the management domain. The management domain name must be unique within the LDAP server. The name must be an alphanumeric string up to 64 characters long and is case-insensitive. The default is Default. LDAP management domain location DN The distinguished name of the location within the LDAP server where the Access Manager metadata will be stored. By default, the management domain information will be stored in its own suffix using the format secAuthority=<management_domain_name>. Whether the distinguished name is specified or the default is used, the location must already exist in the LDAP server.
466
Access Manager Policy Proxy Server

Table 50 lists options prompted for during configuration of the Access Manager Policy Proxy Server package. Note: Configure the Access Manager Runtime package before configuring the Access Manager Policy Proxy Server package.
Table 50. Access Manager Policy Proxy Server configuration options. * indicates a required option. Configuration option Policy server host name * Description Specifies the fully qualified host name of the policy server. For example: pdmgr.tivoli.com Policy server port * Specifies the port number on which the policy server listens for requests. The default port number is 7135. Specifies the identifier for the Tivoli Access Manager administrator of the management domain. The default administrator ID is sec_master. For Active Directory Multiple Domain, this is sec_master@domain_name. Specifies the password for the Tivoli Access Manager administrator ID. Specifies the fully qualified name of the host system on which the policy proxy server will be located. For example: pdproxy.tivoli.com Administration request port * Proxy request port * Specifies the administration request port. The default port is 7139. Specifies the proxy request port. The default port is 7138.
Administrator ID *
Password * Local host name *
467
Access Manager Web Portal Manager

Table 51 lists options prompted for during configuration of the Access Manager Web Portal Manager package.
Table 51. Access Manager Web Portal Manager configuration options. * indicates a required option. Configuration option Full path * (IBM WebSphere Application Server installation directory) Description Specifies the existing IBM WebSphere Application Server installation directory. Type the existing fully qualified path location for one of the following types of IBM WebSphere Application Servers: v If clustering, specify the information for the existing IBM WebSphere Application Server network deployment. v If a single server, specify the information for the existing IBM WebSphere Application Server Default: C:\Program Files\IBM\WebSphere\ AppServer Host name * (IBM WebSphere Application Server) Specifies the host name or IP address for one of the following types of IBM WebSphere Application Servers: v If clustering, specify the information for the existing IBM WebSphere Application Server network deployment. v If a single server, specify the information for the existing IBM WebSphere Application Server For example: was01 Port * (IBM WebSphere Application Server) Specifies the port number, on which the IBM WebSphere Application Server listens for SOAP administration requests, for one of the following types of IBM WebSphere Application Servers: v If clustering, specify the information for the existing IBM WebSphere Application Server network deployment. v If a single server, specify the information for the existing IBM WebSphere Application Server Use the default port number, which is server dependent. The default IBM WebSphere Application Server port number is 8880. Note: Change this value only if the server is already configured to use a different port number. This process will not attempt to set this value for the server. Enable SSL with the IBM WebSphere Application Server Select the check for Secure Sockets Layer (SSL) communication to the existing IBM WebSphere Application Server. Default: not enabled (The check box is not selected.)
468
Table 51. Access Manager Web Portal Manager configuration options (continued). * indicates a required option. Configuration option IBM WebSphere Application Server administrator ID * Description Specifies the identifier for an administrator account for the existing IBM WebSphere Application Server. All administrator IDs must follow the IBM WebSphere Application Server naming policy. Specifies the password for the specified existing IBM WebSphere Application Server administrator ID. This administrator password was created when you created the IBM WebSphere Application Server administrator account. Specifies the fully qualified path where the existing trust store file is located. Use the trust store file to handle server-side certificates that are used in SSL communication. The trust store file verifies the certificate presented by the server. The signer of the SSL certificate must be recognized as a trusted certificate authority (CA). To specify the SSL client key file, type the fully qualified path and file name for the trust store file or browse and choose an existing trust store file. Specifies the existing password that protects the trust store file if a secure connection with the IBM WebSphere Application Server is being used. The trust store file password was set when the trust store file was first created. Specifies the fully qualified path where the existing key file is located. The key file holds the client-side certificates that are used in SSL communication. To specify the SSL client key file, type the fully qualified path and file name for the key file or browse and choose an existing key file. Specifies the existing password that is associated with the specified client key file. The key file password was set when the key file was first created. Select an existing cluster where Web Portal Manager is to be deployed from the list displayed. You must select at least one cluster or application server. For example: WPM_Cluster Select an existing application server from the list displayed where Web Portal Manager is to be deployed. You must select at least one application server or cluster. For example: WebSphere:cellwas01Cell01,node=was01Node01,server==server1 Select an existing Web server from the list displayed where Web Portal Manager is to be deployed. For example: WPM_WebServer
IBM WebSphere Application Server administrator password *
SSL trust store file with full path *
SSL trust store file password
SSL key file with full path
SSL key file password
Clusters *
Application servers *
Web servers
469
Table 51. Access Manager Web Portal Manager configuration options (continued). * indicates a required option. Configuration option Host name * (Tivoli Access Manager policy server or policy proxy server) Description Specifies the host name or IP address of the Tivoli Access Manager policy server or policy proxy server. The policy server manages the policy database (sometimes referred as the master authorization database), updates the database replicas whenever a change is made to the master database, and replicates the policy information throughout the domains. The policy server also maintains location information about other resource managers operating in the domain. There must be at least one policy server defined for each domain. For example: WPM_PolServer Specifies the port number on which the Tivoli Access Manager policy server or policy proxy server listens for SSL requests. Use the default port number value, which is server-dependent. The default port number for the policy server is 7135. The default port number for the policy proxy server is 7138. Select the check box to configure the Tivoli Access Manager authorization server. Default: not enabled (The check box is not selected.) Host name * Specifies the existing fully qualified host name or IP address to configure the Tivoli Access Manager authorization server to be used by Web Portal Manager. For example: WPM_AuthServer Specifies the port number on which the Tivoli Access Manager authorization server listens for SSL requests. Use the default port number value, which is server-dependent. The default port number for the authorization server is 7136. Specifies the identifier for an existing administrator account for the specified Tivoli Access Manager domain. The default Tivoli Access Manager administrator ID is sec_master. Specifies the password that is associated with the specified Tivoli Access Manager administrator ID. This administrator password was created when you created the administrator account. Specifies the name of the domain. The domain must already exist. Any security policy that is implemented in a domain affects only those objects in that domain. Users with authority to perform tasks in one domain do not necessarily have the authority to perform those tasks in other domains. The default domain name is Default, which indicates the management domain.
Port * (Tivoli Access Manager policy server or policy proxy server)
Is Access Manager authorization server configured?
Port *
Administrator ID *
Administrator password *
Domain *
470
Access Manager WebSEAL

Table 52 lists options prompted for during configuration of the Access Manager WebSEAL package. Note: Configure the Access Manager Runtime package before configuring the Access Manager WebSEAL package.
Table 52. Access Manager WebSEAL configuration options. * indicates a required option. Configuration option WebSEAL instance name * Use logical network interface Description Specifies the fully qualified host name used by the policy server to contact the WebSEAL server. Specifies to use a logical network interface. If yes, you are prompted for the IP address of the logical network interface. Specifies the host name of the WebSEAL server. Specifies the port number on which the WebSEAL server listens for requests. The default port number is 7234. Specifies the identifier for the Tivoli Access Manager administrator of the management domain. The default administrator ID is sec_master. Specifies the password for the Tivoli Access Manager administrator ID. Specifies whether to enable HTTP access. If selected, you must specify the HTTP port number. HTTP access is enabled by default. Specifies the HTTP port. The default port number is 80. If there is a conflict with the port, configuration detects the conflict and incrementally increases the port number. Specifies whether to enable HTTPS access. If selected, you must specify the HTTPS port number. HTTPS access is enabled by default. Specifies the HTTPS port. The default port number is 443. If there is a conflict with the port, configuration detects the conflict and incrementally increases the port number choice. Default directories are as follows: v UNIX or Linux: /opt/pdweb/www-default/ docs v Windows: C:\Progam Files\Tivoli\PolicyDirector \PDWeb\www-default\docs Enable SSL with the registry server Specifies whether to enable encrypted Secure Sockets Layer (SSL) connections with an LDAP server. Note: You must first configure the LDAP server for SSL access. Default: enabled (check box is selected)
WebSEAL host name * WebSEAL listening port *
Administrator ID *
Administrator password * Allow HTTP access (y/n)
HTTP port [80]
Allow secure HTTPS access (y/n)
HTTPS port [443]
Web document root directory [opt/pdweb/www-default/docs]
471
Table 52. Access Manager WebSEAL configuration options (continued). * indicates a required option. Configuration option Key file with full path Description Specifies the fully qualified path where the SSL client key database file is located on the runtime system. This key file must be obtained from the LDAP server. Any file extension can be used, but the file extension is normally .kdb. Use the SSL key file to handle certificates that are used in SSL communication. The signer of the SSL certificate must be recognized as a trusted certificate authority in the client key database. Key file password Specifies the existing password that is associated with the specified SSL key file. The client key file password was set when the key file was first created. Change this password by using the IBM Global Security Kit (GSKit) utility gsk7ikm. If changed, remember this password. Specifies the SSL certificate label of the client certificate in the SSL key database that is sent to the registry server if the registry server is configured to perform both server and client authorization during SSL establishment. This label is only valid when SSL is being used and when the registry server has been configured to require client authorization. Typically, the registry server requires only server-side certificates that were specified during creation of the client .kdb file. The certificate label is an alphanumeric, case-sensitive string that you choose. String values should be characters that are part of the local code set. For example: PDLDAP This field requires that you type any character. Because you do not need to set up client-side certificate authentication, the character that you specify is ignored. SSL port Specifies the port number on which the LDAP server listens for SSL requests. A valid port number is any positive number that is allowed by TCP/IP and that is not currently being used by another application.
Certificate label
472
Chapter 23. Enabling Secure Sockets Layer (SSL) security

Tivoli Access Manager servers and any LDAP registry server, you can enable Secure Sockets Layer (SSL) security. When SSL is enabled, data exchanged between the Tivoli Access Manager servers and the LDAP registry server is encrypted. Both server authentication and client authentication are supported. When enabling SSL communication, you must first configure SSL on the LDAP registry server, and then configure SSL on each Tivoli Access Manager server and on any other system that communicates with the LDAP registry server using the IBM Tivoli Directory Server client. The LDAP registry server configuration only needs to be done the first time SSL communication is set up between the LDAP server and the Tivoli Access Manager servers. This chapter contains the following main sections: v Configuring IBM Tivoli Directory Server for SSL access on page 474 v Configuring IBM z/OS LDAP servers for SSL access on page 485 v Configuring Microsoft Active Directory for SSL access on page 488 v Configuring Active Directory Application Mode (ADAM) for SSL access on page 491 v v v v Configuring Configuring Configuring Configuring Novell eDirectory server for SSL access on page 495 Sun Java System Directory Server for SSL access on page 498 the Tivoli Directory Server client for SSL access on page 501 SSL for server and client authentication on page 504
473
Configuring IBM Tivoli Directory Server for SSL access

The following high-level steps are required to enable SSL support for Tivoli Directory Server for server authentication. See the IBM Tivoli Directory Server Administration Guide for more information about securing directory communications. These steps assume you have already installed and configured the Tivoli Directory Server. 1. If necessary, create a key database to contain the server certificates as well as the server's private and public keys. 2. Do one of the following: v Request a personal certificate from a Certificate Authority (CA) and receive that personal certificate into the key database file. You also might need to add a signer certificate for the Certificate Authority to the key database file. v Create a self-signed certificate and extract the certificate and make it available on all client systems that will securely communicate with the server. Note: A client system is any Tivoli Access Manager server system as well as any other system that uses the Tivoli Directory Server client to securely communicate with the Tivoli Directory Server. This includes any system using the Access Manager Runtime component. 3. Make the key database and associated password stash file available in a secure location on the Tivoli Directory Server system. 4. Configure Tivoli Directory Server to use the key database and enable SSL. The creation and handling of X.509 certificates and keys is performed using the IIBM Global Security Kit (GSKit) key management utility, gsk7ikm. This graphical utility must be configured before use, as described in Setting up the GSKit iKeyman utility on page 315. See the SSL Introduction and iKeyman User's Guide for more information on this utility. Configuration of the Tivoli Directory Server can be done using either the Web Administration Tool or the command line. The Web Administration Tool must be installed separately, as described in Installing the Web Administration Tool on page 338. See the IBM Tivoli Directory Server Version 6.1 Administration Guide for more information on the Web Administration Tool.
Creating the key database file

Note: If you used the install_ldap_server installation wizard to install Tivoli Directory Server, you either created a key database file or provided the name and location of an existing key database file. A key database file also can be created using the GSKit key management utility as follows. 1. Start the key management utility, gsk7ikm, which is located in one of the following default directories: AIX HP-UX /opt/ibm/gsk7/bin/gsk7ikm HP-UX on Integrity /opt/ibm/gsk7_32/bin/gsk7ikm_32 /usr/opt/ibm/gskta/bin/gsk7ikm
474
All Linux platforms /usr/local/ibm/gsk7/bin/gsk7ikm Solaris and Solaris on x86_64 /opt/ibm/gsk7/bin/gsk7ikm Windows C:\Program Files\IBM\gsk7\bin\gsk7ikm.exe 2. Click Key Database File New... 3. In the New window: a. Select a Key database type of CMS. b. Specify the name and location for the key database file. The key database file usually has a file extension of kdb. c. Click OK to continue. 4. In the Password Prompt window: a. Specify a password for the key database file which meets your organization's password complexity rules. b. Optional. Set an expiration time for the password. c. Optional. Select Stash the password to a file? to have an encrypted version of the password stored in a separate stash file. A stash file can be used by some applications, such as Tivoli Directory Server, so that the application administrator does not need to know the password for the key database file. The stash file has the same location and name as the key database file, but has a file extension of .sth. d. Click OK to create the key database file and, optionally, the stash file.
Requesting or creating a personal certificate

A personal certificate and its associated private key must be added to the key database file before SSL can be enabled between the Tivoli Directory Server system and client systems. This personal certificate represents the identity of the Tivoli Directory Server system during SSL communications. In production or Internet environments, obtain a commercial certificate from a recognized Certificate Authority (CA) such as VeriSign. This permits other systems to verify the identity of the certificate owner using a third party, the CA. In test or intranet environments, where a lower level of security can be tolerated, a self-signed certificate can be created and used. When a personal certificate is received from a Certificate Authority (CA), or when a self-signed certificate is created by GSKit, the associated private key of the certificate is automatically added to the key database file. Note: A self-signed certificate acts as both a personal certificate and as a signer certificate and could be used to impersonate the server or for other malicious purposes.
Using certificates from a Certificate Authority (CA)

To use a certificate from a Certificate Authority (CA), you must: 1. Request a personal certificate from a Certificate Authority (CA) 2. Receive the personal certificate into the key database file 3. Add the certificate for the Certificate Authority (CA) as a signer certificate in the key database file, if it is not already present.
475
Requesting a personal certificate from a Certificate Authority (CA)

You can obtain a personal certificate from a Certificate Authority (CA) by creating a certificate request. If you require a certificate that supports Federal Information Processing Standards (FIPS) mode, ensure that you use a Certificate Authority (CA) that can provide one that supports it. To create a certificate request, do the following. 1. Start the key management utility, gsk7ikm, if it is not already running. 2. Click Key Database File Open.... See Creating the key database file on page 474 if you need to create a key database file. 3. Select the key database file and click OK. 4. When prompted, enter the password for the key database file. Click OK. 5. In the Key database content pane, select Personal Certificates. 6. Click Create New Certificate Request.... 7. In the Create New Key and Certificate Request window: a. In the Key Label field, enter a name for your key. b. In the Key size field, enter a size for your key. c. In the Common Name field, enter the host name of the server system. d. In the Organization field, enter the name of your organization. Your Certificate Authority might require you to specify a specific value. e. Select the appropriate value in the Country or region field. f. Complete any of the optional fields as desired. g. Specify a name and location for the certificate request. The file usually is given a file extension of .arm. h. Click OK to create a certificate request file. 8. Send the certificate request file to your Certificate Authority for processing.
Receiving a personal certificate from a Certificate Authority (CA)

After processing your certificate request, your Certificate Authority (CA) typically sends you two certificates: your requested personal certificate and a certificate that identifies the Certificate Authority itself. To use the personal certificate, you must receive the personal certificate into your key database file. To receive the personal certificate into the key database: 1. 2. 3. 4. 5. 6. 7. Start the key management utility, gsk7ikm, if it is not already running. Click Key Database File Open.... Select the key database file and click OK. When prompted, enter the password for the key database file. Click OK. In the Key database content pane, select Personal Certificates. Click Receive. In the Receive Certificate from a File window: a. Select the data type of the certificate file received, which is usually Base64-encoded ASCII data. b. Enter the name and location of the file containing your personal certificate, which usually has a file extension of .arm. c. Click OK.
476
If you already have one or more personal certificates in the key database file, GSKit asks whether you want to make the certificate just received the default certificate. The default certificate is used when no label is provided on a request to the key database.
Adding the signer certificate for the Certificate Authority (CA)

After processing your certificate request, your Certificate Authority (CA) typically sends you two certificates: your requested personal certificate and a certificate that identifies the Certificate Authority itself. If the Certificate Authority (CA) is not already recognized as a valid certificate signer in the key database file on the server, then the certificate from the Certificate Authority must be added. To add the certificate from the Certificate Authority into the key database as a signer certificate: 1. Start the key management utility, gsk7ikm, if it is not already running. 2. Click Key Database File Open.... 3. Select the key database file and click OK. 4. When prompted, enter the password for the key database file. Click OK. 5. In the Key database content pane, select Signer Certificates. 6. Click Add.... 7. In the Add CA's Certificate from a File window: a. Select the data type of the certificate file received, which is usually Base64-encoded ASCII data. b. Enter the name and location of the file containing the certificate from the CA, which usually has a file extension of .arm. c. Click OK. 8. Enter a label for the signer certificate that you are adding. If the certificate was created by a certificate authority, you can use the name of the Certificate Authority as the label. For a self-signed certificate, use the name of the LDAP server for the label. 9. Click OK. The certificate is displayed in the key database file as a signer certificate. 10. Select the newly added signer certificate, and click View/Edit.... 11. Ensure that Set the certificate as a trusted root is selected so that the certificate is marked as a trusted root. 12. Click OK. The certificate from the Certificate Authority (CA) must be added as a signer certificate in the key database file on each client system as well, if it is not already present. See Configuring the Tivoli Directory Server client for SSL access on page 501 for details. Continue with Configuring a key database file for Tivoli Directory Server on page 479.
Using self-signed certificates

In test or intranet environments, a self-signed certificate can be created and used. However, in production or Internet environments, obtain a commercial certificate from a recognized Certificate Authority (CA) as described in Using certificates from a Certificate Authority (CA) on page 475.
477
Note: A self-signed certificate acts as both a personal certificate and as a signer certificate and could be used to impersonate the server or for other malicious purposes.
Creating a self-signed certificate

To create a self-signed certificate, do the following. 1. Start the key management utility, gsk7ikm, if it is not already running. 2. Click Key Database File Open.... See Creating the key database file on page 474 if you need to create a key database file. 3. Select the key database file and click OK. 4. When prompted, enter the password for the key database file. Click OK. 5. Click Create New Self-Signed Certificate.... 6. In the Create New Self-Signed Certificate window: a. In the Key Label field, enter a name for your key. b. In the Version field, leave the default value of X509 V3 selected. c. In the Key Size field, select the key size desired. d. In the Common Name field, enter the host name of the server system. e. In the Organization field, enter the name of your organization. f. Select the appropriate value in the Country or region field. g. In the Validity Period field, specify the number of days that the certificate is to be valid. h. Complete any of the optional fields as desired. i. Click OK to create a self-signed certificate and add it to your key database file. If you already have one or more personal certificates in the key database file, GSKit asks whether you want to make the certificate just received the default certificate. The default certificate is used when no label is provided on a request to the key database. Continue with Extracting the certificate.
Extracting the certificate

After you have created a self-signed certificate, you must extract the certificate for use by client systems that will securely communicate with the Tivoli Directory Server. To extract the certificate from the key database, do the following. 1. Start the key management utility, gsk7ikm, if it is not already running. 2. 3. 4. 5. Click Key Database File Open.... Select the key database file and click OK. When prompted, enter the password for the key database file. Click OK. In the Key database content pane, select Personal Certificates. The personal certificates available in the key database file are displayed. The personal certificates which are displayed include both self-signed certificates and certificates previously received from a Certificate Authority (CA). 6. Select the desired personal certificate to process.
7. Click Extract Certificate.... 8. In the Extract Certificate to a File window:
478
a. Select the data type of the extracted file, which is usually Base64-encoded ASCII data. b. Specify the desired name and location for the certificate file. A file extension of .arm is generally used for this file. c. Click OK to extract the public key certificate. After the certificate has been extracted to a file, that file must be made available on all the client systems that will be securely communicating with the Tivoli Directory Server. See Configuring the Tivoli Directory Server client for SSL access on page 501 for details.
Configuring a key database file for Tivoli Directory Server

After a key database file has been created and the necessary certificates and keys have been defined, make the key database file available for use by Tivoli Directory Server.
Using the Web Administration Tool:

To define a key database file to Tivoli Directory Server, do the following. 1. Go to the Web Administration console. 2. Log on to the Tivoli Directory Server system to be managed using the LDAP administrator DN (such as cn=root) and password. 3. Expand the Server administration Manage security properties category in the navigation area of the Web Administration Tool and select the Key database property. 4. Specify the Key database path and file name. This is the fully qualified file specification of the key database file. If a password stash file is defined, it is assumed to have the same file specification, with an extension of .sth. 5. Specify the Key password. If a password stash file is not being used, the password for the key database file must be specified here. Then specify the password again in the Confirm password field. 6. Specify the Key label. This administrator-defined key label indicates which certificate and key in the key database is to be used. 7. When you are finished, click Apply to save your changes without exiting, or click OK to apply your changes and exit. You must stop and restart both the Tivoli Directory Server and the administration daemon for the changes to take effect. See the IBM Tivoli Directory Server Version 6.1 Administration Guide if you need information about performing this task.
Using the command line:

To use the command line to set the key database file for Tivoli Directory Server, issue the command:
idsldapmodify -D ldap_admin -w admin_pw -i file_name
where file_name contains:

dn: cn=SSL,cn=Configuration changetype: modify replace: ibm-slapdSSLKeyDatabase ibm-slapdSSLKeyDatabase: fully_qualified_database_name (such as /usr/am_key.kdb) replace:ibm-slapdSslCertificate ibm-slapdSslCertificate: certificate_name (such as PDLDAP)
479
replace: ibm-slapdSSLKeyDatabasePW ibm-slapdSSLKeyDatabasePW: password (such as key4ssl)
You must stop and restart both the Tivoli Directory Server and the administration daemon for the changes to take effect. See the IBM Tivoli Directory Server Version 6.1 Administration Guide if you need information about performing this task.
Enabling SSL for Tivoli Directory Server

After configuring Tivoli Directory Server to use your key database file, you can enable SSL communications.
Using the Web Administration Tool:

To enable SSL communications, do the following: 1. Go to the Web Administration console. 2. Log on to the Tivoli Directory Server system to be managed using the LDAP administrator DN (such as cn=root) and password. 3. Click Server administration. 4. Click Manage security properties. 5. Click Settings. 6. Select the type of security: SSL Enables the server to receive either secure (default port 636) or unsecure (default port 389) communications from clients.
SSL only Enables the server to receive only secure communications from clients. This is the most secure way to configure your server. The default port is 636. None Enables the server to receive only unsecure communications from clients. The default port is 389.
Use this option to disable SSL security. 7. Select the authentication method. Server authentication For server authentication the Tivoli Directory Server supplies the client with the Tivoli Directory Server's X.509 certificate during the initial SSL handshake. If the client validates the server's certificate, then a secure, encrypted communication channel is established between the Tivoli Directory Server and the client application. For server authentication to work, the Tivoli Directory Server must have a private key and associated server certificate in the server's key database file. Server and client authentication This type of authentication provides for two-way authentication between the LDAP client and the LDAP server. With client authentication, the LDAP client must have a digital certificate. This digital certificate is used to authenticate the LDAP client to the Tivoli Directory Server. 8. When you are finished, click Apply to save your changes without exiting, or click OK to apply your changes and exit.
480
9. You must stop and restart both the Tivoli Directory Server and the administration daemon for the changes to take effect. You can restart either by using the Web Administration Tool or by using the following instructions: a. Stop the Tivoli Directory Server using one of the following methods. v Remotely, issue the command:
ibmdirctl -h host_name -D ldap_admin -w admin_pw stop
v Locally issue the command:

idsslapd -I instance_name -k
v On Windows systems, the Control Panel Administrative Tools Services window also can be used to stop the IBM Tivoli Directory Server Instance V6.1 - instance_name service. b. Stop the administration daemon using one of the following methods. v Remotely, issue the command:
ibmdirctl -h host_name -D ldap_admin -w ldap_pw admstop

idsdiradm instance_name -k
v On Windows systems, the Control Panel Administrative Tools Services window also can be used to stop the IBM Tivoli Directory Server Admin Daemon V6.1 - instance_name service. c. Start the administration daemon using one of the following methods. v Issue the command:
idsdiradm instance_name
v On Windows systems, the Control Panel Administrative Tools Services window also can be used to start the IBM Tivoli Directory Server Admin Daemon V6.1 - instance_name service. d. Start the Tivoli Directory Server using one of the following methods. v Remotely, issue the command:
ibmdirctl -h host_name -D ldap_admin -w admin_pw start

idsslapd -I instance_name
v On Windows systems, the Control Panel Administrative Tools Services window also can be used to start the IBM Tivoli Directory Server Instance V6.1 - instance_name service. Note: You must distribute the public key certificate of the Certificate Authority (CA) of the server to each client. If server and client authentication is enabled, you also must add the public key certificate for each client system to the server's key database, if the certificate is not already recognized as a trusted signer. See the IBM Tivoli Directory Server Version 6.0 Administration Guide if you need information about performing these tasks.
Using the command line:

To enable SSL communications, issue the command:
idsldapmodify -D adminDN -w adminPW -i file_name
where file_name contains:

dn: cn=SSL,cn=Configuration changetype: modify replace: ibm-slapdSslAuth
481
ibm-slapdSslAuth: authentication_type replace: ibm-slapdSecurity ibm-slapdSecurity: security_type
and: authentication_type Specifies the type of authentication. serverAuth For server authentication the Tivoli Directory Server supplies the client with the Tivoli Directory Server's X.509 certificate during the initial SSL handshake. If the client validates the server's certificate, then a secure, encrypted communication channel is established between the Tivoli Directory Server and the client application. For server authentication to work, the Tivoli Directory Server must have a private key and associated server certificate in the server's key database file. serverClientAuth This type of authentication provides for two-way authentication between the LDAP client and the LDAP server. With client authentication, the LDAP client must have a digital certificate. This digital certificate is used to authenticate the LDAP client to the Tivoli Directory Server. security_type Specifies the type of security. SSL SSLOnly Enables the server to receive only secure communications from clients. This is the most secure way to configure your server. The default port is 636. none Enables the server to receive only unsecure communications from clients. The default port is 389. Use this option to disable SSL security. You must stop and restart both the server and the administration daemon for the changes to take effect. Enables the server to receive either secure (default port 636) or unsecure (default port 389) communications from clients.
Verifying that SSL has been enabled on the server

To test that SSL has been enabled, enter the following command on the Tivoli Directory Server system:
idsldapsearch -h host_name -Z -K key_file -P key_pwd -b "" -s base objectclass=*
where: host_name Specifies the DNS host name of the Tivoli Directory Server. key_file Specifies the name of the key database file, with the usual file extension of .kdb. If the key database file is not in the current directory, specify the fully-qualified file name.
482
key_pwd Specifies the key file password. This password is required to access the encrypted information in the key database file (which might include one or more private keys). If a password stash file is associated with the key database file, the password is obtained from the password stash file, and the P option is not required. This option is ignored if neither Z nor K is specified. -Z Indicates that SSL is to be used to establish the connection with the IBM Directory Server.
The idsldapsearch command returns base information from the server, which includes the suffixes on the LDAP server.
Enabling FIPS
Tivoli Access Manager can be configured to run in Federal Information Processing Standards (FIPS) mode. You can make this selection when you configure the Tivoli Access Manager policy server. If the user registry to be used for Tivoli Access Manager is LDAP and if the IBM Tivoli Directory Server is to be used as the LDAP server type, you must configure the IBM Tivoli Directory Server to perform processing in FIPS mode also. If you are using a supported LDAP server other than IBM Tivoli Directory Server, see the LDAP server documentation for information on whether FIPS mode is supported and how to enable FIPS mode processing when supported. Use the Web Administration Tool included with IBM Tivoli Directory Server to complete these steps. Be sure that the Web Administration Tool has been properly installed and configured into the IBM WebSphere Application Server first. To enable FIPS support for the IBM Tivoli Directory Server, follow these steps: 1. Access the login page by using a supported Web browser. The default login page location is: http://server_name:12100/IDSWebApp/IDSjsp/Login.jsp where server_name is the host name of the application server where the Web Administration Tool has been installed. 2. Do one of the following: v If you have already added the LDAP host to be administered to the list of existing console servers, select the LDAP server host name and then skip to step 8 on page 484. v If you have not already added the LDAP host to the list to be administered, continue to step 3 to add the LDAP server to the list of console servers. 3. Log in as the console administrator (referred to as Console Admin). The default Console Admin identity is superadmin and the default password is secret. 4. In the navigation area on the left, select Console administration Manage console servers to be able to view a list of the LDAP servers currently configured for administration. 5. To add another LDAP server, click Add. Enter the host name and the port number information for the LDAP server to be administered, and then click OK. 6. After you have added one or more LDAP servers to be administered, click Close to complete the step. From the navigation area, click Logout .
483
7. Re-access the login page using the same URL specified in step 1 on page 483. Select one of the LDAP servers that you just added from the list of LDAP servers currently configured. 8. After selecting the LDAP server from the list, enter the LDAP server administrator user name (cn=root) and the administrator password on the Login window, and then click Login. 9. In the navigation area on the left, select Server administration Manage security properties. 10. Click Encryption property. The Encryption property page is displayed. 11. Under Implementation, select the Use FIPS certified implementation and Run server in FIPS mode check boxes, and then click OK. 12. Restart the server to make sure that the sever is running in FIPS mode. To do this step in the navigation area on the left, select Server administration Start/stop/restart server. The Start/stop/restart server page is displayed. 13. Make sure that the Start/restart in configuration only mode check box is not selected, and then click Restart. Wait until a message is displayed that states the server has successfully been restarted and is currently running. The server is now running in FIPS mode. 14. If you have finished using the Web Administration Tool, select Logout. 15. Next, set up the IBM Tivoli Directory Server client for SSL access, if necessary. See Configuring the Tivoli Directory Server client for SSL access on page 501 for details.
484
Configuring IBM z/OS LDAP servers for SSL access

When Tivoli Access Manager and LDAP services are not on the same protected network, enable SSL communication between the LDAP server and the clients that support Tivoli Access Manager software. This protocol provides secure, encrypted communications between each server and client. Tivoli Access Manager uses these communications channels as part of the process for making authentication and authorization decisions. To configure an LDAP server on z/OS for SSL/TLS communications, consult the IBM z/OS LDAP Server Administration and Use manual for your particular release of z/OS. This document is located at http://www.ibm.com/servers/eserver/System z/zos/bkserv/ The following high-level steps are required to enable SSL/TLS support for LDAP on z/OS releases 1.4 through 1.9. This includes the z/OS Security Server LDAP Server that shipped with z/OS 1.4 and subsequent releases, the z/OS Integrated Security Services LDAP Server (ISS) that shipped with z/OS 1.6 and subsequent releases, and the IBM Tivoli Directory Server for z/OS that shipped with z/OS 1.8 and subsequent releases. These steps assume that you have installed and configured the LDAP directory server, installed z/OS Cryptographic Services System SSL, and set STEPLIB, LPALIB, or LINKLIST. 1. Configure the LDAP server to listen for LDAP requests on the SSL port for server authentication and, optionally, client authentication. See Setting the security options. 2. Generate the LDAP server private key and server certificate. Mark the certificate as the default in the key database or key ring, or identify the certificate by using its label on the sslCertificate option in the configuration file. Starting with z/OS release 1.4, the z/OS LDAP Server can use certificates in a key ring managed with the RACF RACDCERT command. The gskkyman utility, which was used in previous releases, also can be used and an example of using that utility to create a key database file can be found in Creating a key database file on page 486. More information on the RACDCERT command can be found in the IBM z/OS Security Server RACF Command Language Reference manual for your particular release of z/OS. This document is located at http://www.ibm.com/servers/eserver/System z/zos/bkserv/ 3. Restart the LDAP server.
Setting the security options

The following options for SSL can be set in the ibmslapd.conf file: listen ldap_URL Specifies, in LDAP URL format, the IP address (or host name) and the port number where the LDAP server will listen to incoming client requests. This parameter can be specified more than one time in the configuration file. sslAuth {serverAuth | serverClientAuth} Specifies the SSL/TLS authentication method. The serverAuth method allows the LDAP client to validate the LDAP server on the initial contact between the client and the server. The serverAuth method is the default.
485
sslCertificate {certificateLabel | none} Specifies the label of the certificate that is used for server authentication. This option is needed if a default certificate is not set in the key database file or key ring, or if a certificate other than the default one is required. If this option is omitted, the default certificate is used. sslCipherSpecs {string | ANY} Specifies the SSL/TLS cipher specifications that can be accepted from clients. For a complete list of the ciphers supported by your z/OS LDAP Server, consult the IBM z/OS LDAP Server Administration and Use manual for your particular release of z/OS. This document is located at http://www.ibm.com/servers/eserver/System z/zos/bkserv/ sslKeyRingFile filename | keyring Specifies the path and file name of the SSL/TLS key database file or key ring for the server. sslKeyRingFilePW string Specifies the password protecting access to the SSL/TLS key database file. When a RACF key ring is used instead of a key database file, do not specify this option in the configuration file. Note: Use of the sslKeyRingFilePW configuration option is strongly discouraged. As an alternative, use either the RACF key ring support or the sslKeyRingPWStashFile configuration option. This eliminates this password from the configuration file. sslKeyRingPWStashFile filename Specifies a file name where the password for the server's key database file is stashed. If this option is present, then the password from this stash file overrides the value specified for the sslKeyRingFilePW configuration option. Use the gskkyman utility with the s option to create a key database password stash file. When a RACF key ring is used instead of a key database file, do not specify this option in the configuration file.
Creating a key database file

The following example shows you how to use the gskkyman utility to create a key database file. 1. Start the gskkyman utility from a shell prompt (OMVS or rlogin session) as follows:
$ gskkyman
The gskkyman utility provides a menu-based interface. To perform a function, choose the option you want to perform by entering its number at the command prompt. You are prompted for configuration options. Press Enter after each prompt to continue. 2. Enter option 1 to create a new key database file. 3. 4. 5. 6. Type a key database name or accept the default (key.kdb) and press Enter. Create a password to protect the key database. Re-enter the database password for verification. Type a password expiration interval in days or accept the default (no expiration date). 7. Type a database record length or accept the default (2500).
486
The key database is created and a message is displayed indicating the success or failure of this operation 8. From the Key Management Menu, select option 6 to create a self-signed server certificate and follow the prompts. 9. After the certificate is created, you must extract this certificate so it can be sent to the LDAP client system and added as a trusted CA certificate. To do so, follow these steps: a. Select option 1 to manage keys and certificates. b. From the Key and Certificate List, enter the label number of the certificate to be exported. c. From the Key and Certificate Menu, enter option 6 to export the certificate to a file. d. From the Export File Format dialog, select the export format. For example, select option 1 to export to Binary ASN.1 DER. e. Enter the export file name. The certificate is exported. You can now transfer the exported file to the LDAP client system, and add it as a trusted CA certificate. Since the file format of binary DER was specified on the export, this same file type must be specified to the gsk7ikm utility on the LDAP client system, when doing the Add operation.
487
Configuring Microsoft Active Directory for SSL access

Ensure that the Active Directory domain is set up and that the Tivoli Access Manager policy server is installed and configured on a Windows 2003 system. Also ensure that the Certificate Authority (CA) is installed on the Windows Active Directory domain where Tivoli Access Manager is configured. If the Certificate Authority (CA) is not installed, you can install it on your Active Directory server as follows: 1. Click Start Control Panel Add or Remove Programs. 2. Click Add/Remove Windows Components and select Certificate Services. 3. Follow the procedure provided to install the Certificate Services CA.
Verifying that SSL is enabled on the Active Directory server

To verify that SSL has been enabled on the Active Directory server, do the following: 1. Ensure that Windows Support Tools is installed on the Active Directory machine. The suptools.msi setup program is located in the \Support\Tools directory on your Windows installation CD. 2. Select Start All Programs Windows Support Tools Command Prompt. Start the ldp tool by typing ldp at the command prompt. 3. From the ldp window, select Connection Connect and supply the host name and port number (636). Also select the SSL check box. Note: Ensure that you type the Active Directory domain server name correctly. If successful, a window is displayed listing information related to the Active Directory SSL connection. If the connection is unsuccessful, restart your system, and repeat this procedure.
Exporting the certificate from the Active Directory server

To export the CA certificate from the Active Directory server, follow these steps: 1. Log on as a Domain Administrator to the Active Directory domain server that is being used as the Tivoli Access Manager user registry. 2. Export the certificate from the Active Directory server to a file. To do so, follow these steps: a. Click Start Control Panel Administrative Tools Certificate Authority to open the CA Microsoft Management Console (MMC) GUI. b. Highlight the CA machine and right-click to select Properties for the CA. c. From General menu, click View Certificate. d. Select the Details view, and click the Copy to File button on the lower-right corner of the window. e. Use the Certificate Export Wizard to save the CA certificate in a file. Note: You can save the CA certificate in either DER Encoded Binary X-509 format or Based-64 Encoded X-509 format. After you have extracted the public key certificate of the Certificate Authority (CA) of the Active Directory server, you must distribute the certificate to every Tivoli Access Manager system that will communicate securely with the Active Directory server using the LDAP client.
488
Importing the certificate on the LDAP client system

After you have exported the certificate from the Active Directory server, you must import the certificate to each Tivoli Access Manager system on which you plan to set up encrypted communications. To do so, follow these steps: 1. Ensure that the following components are installed on the Tivoli Access Manager system. Attention: Do not configure the Access Manager Runtime component at this time. v IBM Global Security Kit (GSKit) v IBM Tivoli Directory Server client (LDAP client) v Access Manager Runtime Ensure that you have set up the iKeyman Key Management Utility, which is installed with GSKit. For instructions, see information about setting up the GSKit iKeyman utility in Installing the IBM Global Security Kit (GSKit) on page 311. Ensure that the extracted CA certificate is on the Tivoli Access Manager system. Using the GSKit iKeyman utility, create a key database file and add the Active Directory server's CA signer certificate to this key database file. Ensure that the CA certificate that is added points to the CA certificate file extracted from the Active Directory server system. For instructions on creating a key database file or adding a signer certificate to the key database file on the client, see Configuring the Tivoli Directory Server client for SSL access on page 501. To test the SSL connection to the Active Directory server with the key file that you just created, you can use the idsldapsearch command on the Tivoli Access Manager system. For instructions, see Testing SSL access. Use the Tivoli Access Manager pdconfig utility to configure the Access Manager Runtime component. When prompted to enable encrypted connections, select Yes. For descriptions of configuration options, see Access Manager Runtime Active Directory on page 451. If you have additional Tivoli Access Manager components installed on this system, such as the Access Manager Authorization Server or Web Portal Manager, configure these components at this time.
2.
3. 4.
5.
6.
7.
SSL setup on the Active Directory Server is now complete.
Testing SSL access

After the Active Directory server recognizes the Certificate Authority (CA) that created the clients personal certificate, test SSL access using the following command on the LDAP client:
idsldapsearch -h AD_server_name -s base -Z -K client_keyfile -P keyfile_pwd objectclass=*
The command variables are as follows:

Variable AD_server_name client_keyfile keyfile_pwd Description Specifies the DNS host name of the Active Directory server. Specifies the fully qualified path name of the generated client key file. Specifies the password of the generated key file.
489
If successful, a window is displayed listing Active Directory server information.
490
Configuring Active Directory Application Mode (ADAM) for SSL access

Many operations performed with Active Directory Application Mode (ADAM) using the LDAP protocol must be performed while the connection is secured by SSL. These enforced operations include bind (authentication) and change password. Note: You can disable SSL for ADAM, although it is not recommended. For information about disabling SSL for ADAM, see Disabling SSL for Active Directory Application Mode (ADAM) on page 494. You can enable SSL with ADAM by installing a properly formatted certificate from either a Microsoft Certificate Authority (CA) or a non-Microsoft Certificate Authority. To use Microsoft Certificate Authority (CA), see Setting up Active Directory Application Mode (ADAM) to use SSL (Example). To use a non-Microsoft Certificate Authority, go to the following web address for instructions: http://support.microsoft.com/default.aspx?scid=kb;en-us;321051
Setting up Active Directory Application Mode (ADAM) to use SSL (Example)

The procedure documented in this section is provided as an example and a reference. It describes how to use the Microsoft Certificate Services to create and issue the certificate used by Active Directory Application Mode (ADAM). For complete instructions on how to set up ADAM to use SSL, see the Microsoft documentation for ADAM at the following Web address: http://www.microsoft.com/windowsserver2003/adam/default.mspx These instructions assume that the Internet Information Server (IIS) is already installed. If IIS is not already installed, install it before installing Microsoft Certificate Services CA. Once IIS is installed and configured, install and use the Certificates Services to enable SSL for ADAM: 1. If you have not done so already, install Certificate Services by clicking Add or Remove Programs > Add/Remove Windows Components. If your operating system is Windows 2003 server only (meaning Active Directory is not configured), select Stand-alone CA. Attention: Choose the name of the certification authority carefully, because it cannot be changed after the CA setup is complete. When specifying the name of the root CA certificate, do not specify the fully qualified domain name of the workstation host name if you have Active Directory installed on the same workstation as the Certificate Authority services workstation. The ADAM certificate requires its name to be the fully qualified domain name of the workstation on which it runs. It can't have a certificate with the same name as its CA root certificate. 2. Allow the ADAM system to trust the newly installed Certificate Authority. The root CA certificate must be installed onto the system as a trusted root: a. Using a web browser on the workstation running ADAM , go to http://CA_server_machine/certsrv to install the CA certificate. b. Click Download a CA certificate, certificate chain or CRL > Install this CA certificate chain. If this is the first time this root CA certificate has been
491
installed to this system, a security warning will be presented. Click Yes to install the root CA certificate onto the system as a trusted root. c. Request a certificate for use with ADAM SSL by again using the web browser and going to http://CA_server_machine/certsrv d. Click Request a Certificate ->Advanced Certificate Request -> Create and Submit a request to this CA. e. In the Name field, enter the fully qualified domain name of the ADAM machine the exact way it appears in My Computer > Properties >Computer Name. f. Fill out the remaining Advanced Certificate Request information per your organizations requirements. g. Select Server Authentication Certificate as the type of Certificate needed. h. Select Create new key set as a key option. i. Select Store certificate in the local computer certificate store. The defaults may be used for all other fields unless otherwise required for your organization. j. Click Submit. Make sure you record the RequestID number for use in the next step. 3. Use the Certification Authority tool to issue the certificate request: a. Click Start->Administrative Tools->Certification Authority. b. Expand the Certification Authority CA and click the Pending Requests folder. c. Select the certificate request with the same RequestID from 2j. d. Right-click the RequestID and select All Tasks > Issue to issue the certificate. In the Certification Authority tool, the request will now move from the "Pending Request" folder to the "Issued Certificates" folder. 4. Install the issued certificate: a. Opening a web browser and enter http://CA_server_machine/certsrv b. Select View the status of a pending certificate request. c. Select the request and click Install this certificate. After a warning about installing a certificate on this machine, click Yes to install the certificate into the system key store. 5. Use the Microsoft Management Console to install the certificate for use by ADAM: a. Run mmc.exe and select File >Add/Remove Snap-in. b. Click Add... and select the Certificates snap-in. c. Click Add. On the Certificate Snap-in panel, select Service Account and click Next. d. Select the workstation to be managed and click Next. On the Service account panel, scroll to locate and select the ADAM instance service name and click Finish. e. After returning to the Add Standalone Snap-in panel, select Certificates snap-in and click Add. f. Select Computer Account and click Next. g. Select the workstation to be managed and click Next. h. Close the Add Standalone Snap-in panel. i. Click OK to add the snap-ins. j. Go to Certificates (Local Computer) > Personal > Certificates folder and verify that the certificate is installed. Double-click the certificate and confirm
492
that the General tab states, You have a private key that corresponds to this certificate. Click OK to dismiss the Certificate information panel. 6. Use the following steps to give read permission for the ADAM service account to read the keystore of the certificate above. a. From the command line, run the certutil -store my command to identify the Key Container of the ADAM certificate. b. Using Microsoft Explorer, go to C:\Documents and Settings\AllUsers\ Application Data\Microsoft\Crypto\RSA\MachineKeys and match the Key Container name you determined in 6a with the file in this folder. c. Right click the file and choose Properties. d. On the Security tab, click Add > Advanced > Find Now and choose the service account under which ADAM is running. e. Click OK twice to add Read permission to the certificate keystore for the ADAM service account. 7. Test the ADAM SSL set up using ldp: a. Bring up ldp.exe by typing ldp from an ADAM tools command prompt on the ADAM system. To start an ADAM tools command prompt, click Start >All Programs >ADAM >ADAM Tools Command Prompt. b. In the ldp tool, click Connect in the Connection tab. c. Fill in the fully qualified domain name of the ADAM workstation hostname. d. Enter 636 in the Port field
e. Check the SSL check box and click OK. f. Once successfully connected, click Connection >Bind and put in an ADAM user and password to bind to the server. If the ldp tool is able to successfully connect and bind to the ADAM instance, SSL is configured properly.
Configuring Access Manager SSL for use with Active Directory Application Mode (ADAM)
When Active Directory Application Mode (ADAM) is properly configured to use SSL, Tivoli Access Manager must be configured to recognize the ADAM server and connect via SSL. If Microsoft Certification Services was used to create and install the ADAM certificate, the Certificate Authority root certificate must be downloaded to the Access Manager system and established as a trusted root authority. To download the CA root certificate, follow these steps: 1. Open a web browser on the Access Manager workstation and go to the following Web address: http://CA_server_machine/certsrv Click Download a CA certificate, certificate chain, or CRL. Select the CA certificate to be downloaded. Select Base 64 as the encoding method choice. Click Download CA certificate. When prompted, select to Save the file and specify a path and filename on the local system in which to save the downloaded root certificate.
2. 3. 4. 5. 6.
493
7. To configure the Access Manager client to establish the downloaded CA root certificate as a trusted root (signer) and test the SSL connection to ADAM, Use the instructions found in Configuring the Tivoli Directory Server client for SSL access on page 501.
Disabling SSL for Active Directory Application Mode (ADAM)

Active Directory Application Mode (ADAM) requires that any operation performed with a users password, is done on an SSL secured connection. Using an SSL connection when using LDAP as the user registry is recommended, although the use of SSL is optional. When ADAM is used as the user registry, SSL must be used or the requirement for SSL must be disabled on the ADAM instance being used by Access Manager. To disable the requirement for SSL on ADAM, perform the following procedure using the ADAM ADSI Edit tool: 1. Click Start->All Programs->ADAM->ADAM ADSI Edit. 2. In the console tree, click ADAM ADSI Edit. 3. On the Action menu, click Connect To... The Connection Settings dialog box appears. 4. In the Connection name field, you can type a label under which this connection will appear in the console tree of ADAM ADSI Edit. For this connection, type: Configuration. 5. In the Server name field, type the host or DNS name of the system on which the ADAM instance is running. If the ADAM instance is on the local system, you can use localhost as the server name. 6. In the Port field, type the LDAP or SSL communication port in use by this ADAM instance. Note: To list the port numbers used by ADAM instances, click Start->All Programs->ADAM->ADAM Tools Command Prompt and then at the command prompt, type: dsdbutil list instances quit on the system where the ADAM instance is running. 7. Under Connect to the following node, select Well-known naming context: and choose Configuration from the pull down list. 8. Under Connect using these credentials, click The account of the currently logged on user. 9. Click OK. Configuration should now appear in the console tree. 10. Expand the Configuration subtree by double-clicking Configuration and then double-click CN=Configuration,CN={GUID}, where GUID was generated when the configuration of the ADAM instance was performed. 11. Expand the CN=Services folder by double-clicking it. Then expand CN=Windows NT by double-clicking it. Highlight and right-click CN=Directory Service and click Properties. 12. Scroll down and click dsHeuristics and click Edit. 13. Change the 13th character (counting from left) to a 1. The value should be similar to 0000000001001 in the String Attribute Editor. Click OK. 14. Click OK. The requirement for SSL connections for password operations is now disabled. Although this can be used in a testing environment, it is not recommended in production.
494
Configuring Novell eDirectory server for SSL access

Secure Socket Layer (SSL) allows the data, which is transmitted between the Tivoli Access Manager services and the Novell eDirectory server, to be encrypted to provide data privacy and integrity. Administrators should consider enabling SSL to protect information, such as user passwords and private data. However, SSL is not required for Tivoli Access Manager to operate. If SSL is not required in your Tivoli Access Manager environment, skip this section. Tivoli Access Manager supports server-side authentication with Novell eDirectory only. To configure the Novell eDirectory server for SSL, ensure that the ConsoleOne tool is installed and complete the following sections: v Creating an organizational certificate authority object v Creating a self-signed certificate on page 496 v Creating a server certificate for the LDAP server on page 496 v Enabling SSL on page 497 v Adding the self-signed CA certificate to the IBM key file on page 497 Note: For more information, see Novell product documentation at the following Web sites: For Novell eDirectory, Version 8.6.x, see: http://www.novell.com/documentation/lg/ndsedir86/index.html For Novell eDirectory, Version 8.7, see: http://www.novell.com/documentation/lg/edir87/index.html
Creating an organizational certificate authority object

During installation of eDirectory, an NDSPKI:Certificate Authority object is created by default (if one does not already exist in the network). It is important that the subject name (not the object name) be a valid signatory. The subject name must have an organization field and a country field to be recognized as valid by Tivoli Access Manager. The default subject name is as follows:
0=organizational_entry_name.OU=Organizational CD
This is not a valid signatory. To change it, you must re-create the Certificate Authority object with a valid subject name. To do so, follow these steps: 1. Start ConsoleOne. 2. Select the Security container object. Objects are displayed in the right pane of the window. 3. Select the Organization CA object and delete it. 4. Right-click the Security container object again and click New Object. 5. From the list box in the New Object dialog, double-click NDSPKI: Certificate Authority. The Create an Organizational Certificate Authority Object dialog is displayed. Follow the online instructions. 6. Select the target server and enter an eDirectory object name. For example: Host Server Field = C22Knt_NDS.AM Object Name Field = C22KNT-CA 7. In Creation Method, select Custom and click Next.
495
Depending on the installed version of Novell eDirectory, two additional screens might be displayed. Click Next twice to continue. 8. Accept the default Subject name or enter a valid distinguished name for the Certificate Authority being defined. All certificates generated by the Certificate Authority are placed in this location. 9. The Organizational Certificate Authority is displayed in ConsoleOne as C22KNT-CA.

To create a self-signed certificate, do the following: 1. Go to the properties of the Organizational Certificate Authority (C22KNT-CA). The Properties window is displayed. 2. Select the Certificate tab and then select Self Signed Certificate from the menu. 3. Validate the certificate. 4. Export the certificate. The Export a Certificate window is displayed. 5. Accept the default values and write down the location where the self-signed certificate will be saved. For example:
c:\c22knt\CA-SelfSignedCert.der
6. Transfer (FTP) the file to the Tivoli Access Manager host directory. For example:
c:\Program Files\Tivoli\Policy Directory\keytab
Note that this is a binary file.
Creating a server certificate for the LDAP server

To create the server certificate for the Novell eDirectory server, follow these steps: 1. To create a server certificate for the LDAP server, right-click the Organization entry and click New Object. A New Object window is displayed. 2. Select NDSPKI: Key Material and then click OK. The Create Server Certificate (Key Material) window is displayed. 3. Enter the certificate name (for example, AM), select Custom for the creation method, and click Next. 4. Use the default values for Specify the Certificate Authority option, which will sign the certificate and click Next. 5. Specify the key size, accept default values for all other options, and click Next. Note: The default key size for Novell eDirectory Version 8.6.2 is 1024 bits; 2048 bits for Version 8.7. 6. In the Specify the Certificate Parameters window, click the Edit button next to the Subject name field. The Edit Subject window is displayed. 7. Enter the subject name and then click OK. The Create Server Certificate (Key Material) window is displayed with the Subject Name field updated. Click Next to continue. 8. To accept the default values in the following windows, click Next twice and then click Finish to create a key material. The Creating Certificate window is temporarily displayed. When it clears, the right pane of ConsoleOne is updated with a Key Material entry named AM. This entry is the server certificate.
496
Enabling SSL
To enable SSL for the Novell LDAP server, do the following: 1. In the right pane of ConsoleOne, locate an entry named LDAP Server hostname and right-click it. 2. From the menu, select Properties. From the Properties notebook, select the SSL Configuration tab. 3. Click the Tree Search icon next to the SSL Certificate field. The Select SSL Certificate window is displayed. The SSL Certificate List pane displays the certificates known to the organization. 4. Select the AM certificate and click OK. The Properties of LDAP Server hostname window is redisplayed with an updated SSL Certificate field. Note: Do not select Enable and Require Mutual Authentication.
Adding the self-signed CA certificate to the IBM key file

To add the self-signed CA certificate to the IBM key file on the Tivoli Access Manager server, follow these steps: 1. Start thegsk7ikm utility. An IBM Key Manager window is displayed. 2. Select Key Database File New. A new window is displayed. 3. Update the fields to the following values and then click OK:
Key database type: CMS key database file File name: key.kdb Location: /var/PolicyDirector/keytabs
A Password Prompt window is displayed. 4. Create a password, entering it twice for configuration, and then click OK. The IBM Key Manager window is displayed with the Signer Certificates windows displayed. 5. Click the Add button. The Add CA's Certificate from a File window is displayed. Update the following fields and then click OK:
Data type: Binary der data Certificate file name: <hostname>CA-SelfSignedCert.der Location: /var/PolicyDirector/keytabs
The Signer Certificates dialog is now updated with a certificate named AM.
497
Configuring Sun Java System Directory Server for SSL access

SSL allows the data that is transmitted between the Tivoli Access Manager services and Sun Java System Directory Server to be encrypted to provide data privacy and integrity. Administrators should consider enabling SSL to protect information such as user passwords and private data. However, SSL is not required for Tivoli Access Manager to operate. This procedure needs to be done only the first time SSL communication is set up between the Sun Java System Directory Server and IBM Tivoli Directory Server clients. To enable SSL communication, both Sun Java System Directory Server and the IBM Tivoli Directory Server clients must be configured. The following procedure is an example only. For complete information about enabling SSL access on Sun Java System Directory Server, see Sun documentation at the following Web address: http://docs.sun.com/app/docs/prod/entsys Complete the instructions in the following sections: v Obtaining a server certificate on page 498 v Installing the server certificate on page 499 v Enabling SSL access on page 499
Obtaining a server certificate

To enable SSL support, Sun Java System Directory Server requires a certificate that proves its identity to client systems. The server sends the certificate to the client to enable the client to authenticate with the server. This certificate is called a Server-Cert. Use the Sun Java Console 6.0 and the Certificate Setup Wizard to establish the Server-Cert: 1. Start Sun Java Console 6.0. 2. From the Sun Java Server Console Login window, enter the administrator user ID, password, and the URL of the Admin Server for that directory server. 3. Select the domain to be used by Tivoli Access Manager. 4. Expand the server name. 5. Expand Server Group. 6. Select the entry labeled Directory Server. Configuration information about Sun Java System Directory Server is displayed. 7. Click Open. The Sun Java System Directory Server is accessed. 8. Click the Configuration tab. 9. Click the Encryption tab. 10. Verify that the Enable SSL for this server check box is not selected. 11. Click the Tasks tab and then click Manage Certificates. Note: The private key for the certificate is stored on an internal security device called a token, which is password protected. The first time that you click the Manage Certificates button, you are prompted to create the password for this token.
498
12. Enter the Security password twice and then click OK. The Manage Certificates window is displayed. 13. In the Security Device list, ensure that internal (software) is selected and that the Server Certs tab is selected. 14. Click the Request button at the bottom of the window. The Certificate Request Wizard panel is displayed. 15. Ensure that the Request certificate manually button is selected and click Next. 16. Enter the requestor information and then click Next. Ensure that you complete all fields. When prompted to continue, click Yes. 17. Ensure that the Active Encryption token field states internal (software). 18. Enter the security device password and then click Next. 19. To save the certificate request to a file, click Save to File. To copy the request to the clipboard, click Copy to Clipboard. Then click Done to complete your request. 20. E-mail your request or attach the saved file and send your request to the certificate authority administrator.
Installing the server certificate

After you have received the certificate from the certificate authority, install it by completing the following steps: 1. 2. 3. 4. Open the Sun Java Console 6.0. Click the Tasks tab and then click Manage Certificates. Ensure that Server Certs is selected and then click Install. Do one of the following: v To install the certificate from a file, select In this local file.
v To paste the text in the window, select In the following encoded text block, copy the text of the certificate, and then click Paste from Clipboard. 5. Click Next. 6. Verify that the certificate information is correct and click Next. 7. In the This certificate will be named field, type a certificate name or accept the default name, server-cert, and then click Next. 8. Enter the token password and then click Done. If the process is successful, the Manage Certificate panel is displayed and the server certificate name is listed under the Server Certs tab. 9. Continue to Enabling SSL access.
Enabling SSL access

When you have exited the Certificate Setup Wizard, you are returned to the Encryption tab as shown:
499
1. Select Enable SSL for this server. 2. Select Use the cipher family;RSA. 3. If you do not plan to require certificate-based client authentication, select Do not allow client authentication. 4. Click Save. 5. Restart Sun Java System Directory Server for changes to take effect. Note: You have to type the trust database password each time the server is started. SSL is now enabled on Sun Java System Directory Server. Next, you need to enable SSL on the IBM Tivoli Directory Server client systems that will function as LDAP clients to Sun Java System Directory Server. See Configuring the Tivoli Directory Server client for SSL access on page 501.
500
Configuring the Tivoli Directory Server client for SSL access

After enabling SSL access on the LDAP server, you can set up SSL access on the client systems. If you have not yet configured your server for SSL access, follow instructions in one of the following before proceeding: Configuring IBM Tivoli Directory Server for SSL access on page 474 Configuring IBM z/OS LDAP servers for SSL access on page 485 Configuring Microsoft Active Directory for SSL access on page 488 Configuring Active Directory Application Mode (ADAM) for SSL access on page 491 v Configuring Novell eDirectory server for SSL access on page 495 v Configuring Sun Java System Directory Server for SSL access on page 498 v v v v Similar to creating a key database file for the server, you must create a key database file on the client system. Note that for the client to authenticate the LDAP server, the client must recognize the Certificate Authority (CA) that created the certificate for the LDAP server. If the LDAP server is using a self-signed certificate, the client must be enabled to recognize the system that generated the LDAP server's certificate as a trusted root (certificate authority). To configure the LDAP client for SSL access to the LDAP server, complete the instructions in the following sections: v Creating the key database file on page 501 v Adding the signer certificate to the client key database file on page 502 v Testing SSL access from the client on page 503
Creating the key database file

A key database file can be created on the client using the GSKit key management utility as follows. 1. Start the key management utility, gsk7ikm, which is located in one of the following default directories: AIX HP-UX /opt/ibm/gsk7/bin/gsk7ikm HP-UX on Integrity /opt/ibm/gsk7_32/bin/gsk7ikm_32 All Linux platforms /usr/local/ibm/gsk7/bin/gsk7ikm Solaris and Solaris on x86_64 /opt/ibm/gsk7/bin/gsk7ikm Windows C:\Program Files\IBM\gsk7\bin\gsk7ikm.exe 2. Click Key Database File New... 3. In the New window: a. Select a Key database type of CMS. b. Specify the name and location for the key database file. The key database file usually has a file extension of kdb. c. Click OK to continue.
/usr/opt/ibm/gskta/bin/gsk7ikm
501
4. In the Password Prompt window: a. Specify a password for the key database file which meets your organization's password complexity rules. b. Optional. Set an expiration time for the password. c. Optional. Select Stash the password to a file? to have an encrypted version of the password stored in a separate stash file. A stash file can be used by some applications, such as Tivoli Directory Server, so that the application administrator does not need to know the password for the key database file. The stash file has the same location and name as the key database file, but has a file extension of .sth. d. Click OK to create the key database file and, optionally, the stash file. After creating the key database file, change the file ownership of the key database file to user ivmgr and group ivmgr. Use the appropriate operating system command for changing file ownership. For example, on UNIX and Linux systems, enter the following:
chown ivmgr:ivmgr client_keyfile
Adding the signer certificate to the client key database file

If the certificate on the LDAP server is from a Certificate Authority (CA) that is not already recognized as a valid certificate signer in the key database file on the client, or if a self-signed certificate is being used on the server, then that certificate (either from the CA or the self-signed one from the server) must be added to the key database on the client system as a trusted signer. To add the signer certificate to the key database on the client system: 1. If the server is using a certificate from a Certificate Authority (CA), ensure that the file containing the signer certificate from the Certificate Authority (CA) has been copied to the client system. If the server is using a self-signed certificate, ensure that the certificate has been extracted from the key database file on the server, as described in Extracting the certificate on page 478, and that the extracted certificate file has been copied to the client system. Start the key management utility, gsk7ikm, if it is not already running. Click Key Database File Open.... Select the key database file and click OK. When prompted, enter the password for the key database file. Click OK. In the Key database content pane, select Signer Certificates.
2. 3. 4. 5. 6.
7. Click Add.... 8. In the Add CA's Certificate from a File window: a. Select the data type of the certificate file received, which is usually Base64-encoded ASCII data. b. Enter the name and location of the file containing the certificate from the Certificate Authority (CA) or the extracted self-signed certificate, which usually has a file extension of .arm. c. Click OK. 9. Enter a label for the signer certificate that you are adding. If the certificate was created by a certificate authority, you can use the name of the Certificate Authority as the label. For a self-signed certificate, use the name of the LDAP server for the label.
502
10. Click OK. The certificate is displayed in the key database file as a signer certificate. 11. Select the newly added signer certificate, and click View/Edit.... 12. Ensure that Set the certificate as a trusted root is selected so that the certificate is marked as a trusted root. 13. Click OK.
Configuring the client for SSL communications

When you install and configure an Access Manager component, you are given the option of enabling SSL communication with the registry server. If you did not enable SSL at that time, or if you wish to change the SSL configuration options, such as selecting a different key database file or specifying a different certificate label, you must unconfigure and then reconfigure the Access Manager component on the affected system using the Tivoli Access Manager pdconfig utility. For a description of configuration options, see Access Manager Runtime LDAP on page 448.
Testing SSL access from the client

To test that SSL access has been enabled, enter the following command on the LDAP client system:
idsldapsearch -h server_name -Z -K client_keyfile -P keyfile_pwd -b "" -s base objectclass=*
The command variables are as follows: server_name The DNS host name of the LDAP server. client_keyfile The fully qualified path name of the generated client key ring. keyfile_pwd The password of the generated key ring. -Z Indicates that SSL is to be used to establish the connection with the LDAP server.
This command returns the LDAP base information, which includes the suffixes on the LDAP server. During LDAP server configuration in Configuring IBM Tivoli Directory Server for SSL access on page 474, you chose an authentication method of either Server Authentication or Server and Client Authentication. v If you chose Server Authentication, the SSL setup is now complete. v If you chose Server and Client Authentication, go to Configuring SSL for server and client authentication on page 504.
503
Configuring SSL for server and client authentication

During the configuration of the LDAP server to enable SSL access, as described in Enabling SSL for Tivoli Directory Server on page 480, you were prompted to choose either Server Authentication or Server and Client Authentication. If you chose Server Authentication and have completed the steps in Configuring the Tivoli Directory Server client for SSL access on page 501, then SSL configuration is complete. If you chose Server and Client Authentication and have completed the steps in Configuring the Tivoli Directory Server client for SSL access on page 501, you must now establish a certificate for the client system. In this mode of authentication, after the client authenticates the server, the server requests the clients certificate and uses it to authenticate the clients identity. To establish a certificate for the client system, complete the instructions in the following sections: v Creating the key database file on the client on page 504 v Requesting or creating a personal certificate on the client on page 505 v Testing SSL access when using server and client authentication on page 509
Creating the key database file on the client

If you have not already created a key database file on the client system, a key database file can be created using the GSKit key management utility as follows. 1. Start the key management utility, gsk7ikm, which is located in one of the following default directories: AIX HP-UX /opt/ibm/gsk7/bin/gsk7ikm HP-UX on Integrity /opt/ibm/gsk7_32/bin/gsk7ikm_32 All Linux platforms /usr/local/ibm/gsk7/bin/gsk7ikm Solaris and Solaris on x86_64 /opt/ibm/gsk7/bin/gsk7ikm Windows C:\Program Files\IBM\gsk7\bin\gsk7ikm.exe 2. Click Key Database File New... 3. In the New window: a. Select a Key database type of CMS. b. Specify the name and location for the key database file. The key database file usually has a file extension of kdb. c. Click OK to continue. 4. In the Password Prompt window: a. Specify a password for the key database file which meets your organization's password complexity rules. b. Optional. Set an expiration time for the password. /usr/opt/ibm/gskta/bin/gsk7ikm
504
c. Optional. Select Stash the password to a file? to have an encrypted version of the password stored in a separate stash file. A stash file can be used by some applications, such as Tivoli Directory Server, so that the application administrator does not need to know the password for the key database file. The stash file has the same location and name as the key database file, but has a file extension of .sth. d. Click OK to create the key database file and, optionally, the stash file. e. After creating the key database file on the client system, change the file ownership of the key database file to user ivmgr and group ivmgr. Use the appropriate operating system command for changing file ownership. For example, on UNIX and Linux systems, enter the following:
chown ivmgr:ivmgr client_keyfile
Requesting or creating a personal certificate on the client

A personal certificate and its associated private key must be added to the key database file for the client before SSL using server and client authentication can be enabled between the Tivoli Directory Server system and client systems. This personal certificate represents the identity of the Tivoli Directory Server client system during SSL communications. In production or Internet environments, obtain a commercial certificate from a recognized Certificate Authority (CA) such as VeriSign. This permits other systems to verify the identity of the certificate owner using a third party, the CA. In test or intranet environments, where a lower level of security can be tolerated, a self-signed certificate can be created and used. When a personal certificate is received from a Certificate Authority (CA), or when a self-signed certificate is created by GSKit, the associated private key of the certificate is automatically added to the key database file.
Using certificates from a Certificate Authority (CA) on the client

To use a certificate from a Certificate Authority (CA), you must: 1. Request a personal certificate from a Certificate Authority (CA) which represents the identity of the client system in SSL communications. 2. Receive the personal certificate into the key database file. 3. Add the certificate for the Certificate Authority (CA) as a signer certificate in the key database file on the client, if it is not already present. 4. Add the certificate for the Certificate Authority (CA) as a signer certificate in the key database file on the server, if it is not already present.
Requesting a personal certificate from a Certificate Authority (CA)

You can obtain a personal certificate from a Certificate Authority (CA) by creating a certificate request. If you require a certificate that supports Federal Information Processing Standards (FIPS) mode, ensure that you use a Certificate Authority (CA) that can provide one that supports it. To create a certificate request, do the following. 1. Start the key management utility, gsk7ikm, if it is not already running. 2. Click Key Database File Open.... See Creating the key database file on page 474 if you need to create a key database file.
505
3. 4. 5. 6. 7.
Select the key database file and click OK. When prompted, enter the password for the key database file. Click OK. In the Key database content pane, select Personal Certificates. Click Create New Certificate Request.... In the Create New Key and Certificate Request window: In the Key Label field, enter a name for your key. In the Key size field, enter a size for your key. In the Common Name field, enter the host name of the server system. In the Organization field, enter the name of your organization. Your Certificate Authority might require you to specify a specific value. e. Select the appropriate value in the Country or region field. f. Complete any of the optional fields as desired. a. b. c. d. g. Specify a name and location for the certificate request. The file usually is given a file extension of .arm. h. Click OK to create a certificate request file.
8. Send the certificate request file to your Certificate Authority for processing.
Receiving a personal certificate from a Certificate Authority (CA)

After processing your certificate request, your Certificate Authority (CA) typically sends you two certificates: your requested personal certificate and a certificate that identifies the Certificate Authority itself. To use the personal certificate, you must receive the personal certificate into your key database file. To receive the personal certificate into the key database: 1. Start the key management utility, gsk7ikm, if it is not already running. 2. 3. 4. 5. 6. Click Key Database File Open.... Select the key database file and click OK. When prompted, enter the password for the key database file. Click OK. In the Key database content pane, select Personal Certificates. Click Receive.
7. In the Receive Certificate from a File window: a. Select the data type of the certificate file received, which is usually Base64-encoded ASCII data. b. Enter the name and location of the file containing your personal certificate, which usually has a file extension of .arm. c. Click OK. If you already have one or more personal certificates in the key database file, GSKit asks whether you want to make the certificate just received the default certificate. The default certificate is used when no label is provided on a request to the key database.
Adding the signer certificate for the Certificate Authority (CA)

After processing your certificate request, your Certificate Authority (CA) typically sends you two certificates: your requested personal certificate and a certificate that identifies the Certificate Authority itself. If the Certificate Authority (CA) is not already recognized as a valid certificate signer in the key database file on the client, then the certificate from the Certificate Authority must be added.
506
To add the certificate from the Certificate Authority into the key database as a signer certificate: 1. Start the key management utility, gsk7ikm, if it is not already running. 2. Click Key Database File Open.... 3. Select the key database file and click OK. 4. When prompted, enter the password for the key database file. Click OK. 5. In the Key database content pane, select Signer Certificates. 6. Click Add.... 7. In the Add CA's Certificate from a File window: a. Select the data type of the certificate file received, which is usually Base64-encoded ASCII data. b. Enter the name and location of the file containing the certificate from the CA, which usually has a file extension of .arm. c. Click OK.
Using self-signed certificates on the client

In test or intranet environments, a self-signed certificate can be created and used. However, in production or Internet environments, obtain a commercial certificate from a recognized Certificate Authority (CA) as described in Using certificates from a Certificate Authority (CA) on the client on page 505.

To create a self-signed certificate, do the following. 1. Start the key management utility, gsk7ikm, if it is not already running. 2. Click Key Database File Open.... See Creating the key database file on page 474 if you need to create a key database file. 3. Select the key database file and click OK. 4. When prompted, enter the password for the key database file. Click OK. 5. Click Create New Self-Signed Certificate.... 6. In the Create New Self-Signed Certificate window: a. b. c. d. e. f. In the Key Label field, enter a name for your key. In the Version field, leave the default value of X509 V3 selected. In the Key Size field, select the key size desired. In the Common Name field, enter the host name of the server system. In the Organization field, enter the name of your organization. Select the appropriate value in the Country or region field.
g. In the Validity Period field, specify the number of days that the certificate is to be valid. h. Complete any of the optional fields as desired. i. Click OK to create a self-signed certificate and add it to your key database file. If you already have one or more personal certificates in the key database file, GSKit asks whether you want to make the certificate just received the default certificate. The default certificate is used when no label is provided on a request to the key database. Continue with Extracting the certificate on page 478.
507
Extracting the certificate

After you have created a self-signed certificate, you must extract the certificate for use on the LDAP server system that will securely communicate with the client. To 1. 2. 3. extract the certificate from the key database, do the following. Start the key management utility, gsk7ikm, if it is not already running. Click Key Database File Open.... Select the key database file and click OK.
4. When prompted, enter the password for the key database file. Click OK. 5. In the Key database content pane, select Personal Certificates. The personal certificates available in the key database file are displayed. The personal certificates which are displayed include both self-signed certificates and certificates previously received from a Certificate Authority (CA). 6. Select the desired personal certificate to process. 7. Click Extract Certificate.... 8. In the Extract Certificate to a File window: a. Select the data type of the extracted file, which is usually Base64-encoded ASCII data. b. Specify the desired name and location for the certificate file. A file extension of .arm is generally used for this file. c. Click OK to extract the public key certificate. After the client certificate has been extracted to a file, that file must be made available on the Tivoli Directory Server.
Adding the signer certificate to the server key database file

If the certificate on the LDAP client is from a Certificate Authority (CA) that is not already recognized as a valid certificate signer in the key database file on the server, or if a self-signed certificate is being used on the client, then that certificate (either from the CA or the client's self-signed certificate) must be added to the key database on the server system as a trusted signer. To add the signer certificate to the key database on the server system: 1. If the client is using a certificate from a Certificate Authority (CA), ensure that the file containing the signer certificate from the Certificate Authority (CA) has been copied to the server system. If the client is using a self-signed certificate, ensure that the certificate has been extracted from the key database file on the client, as described in Extracting the certificate on page 478, and that the extracted certificate file has been copied to the server system. 2. Start the key management utility, gsk7ikm on the server system, if it is not already running. 3. 4. 5. 6. 7. 8. Click Key Database File Open.... Select the key database file and click OK. When prompted, enter the password for the key database file. Click OK. In the Key database content pane, select Signer Certificates. Click Add.... In the Add CA's Certificate from a File window: a. Select the data type of the certificate file received, which is usually Base64-encoded ASCII data.
508
b. Enter the name and location of the file containing the certificate from the Certificate Authority (CA) or the extracted self-signed certificate, which usually has a file extension of .arm. 9. c. Click OK. Enter a label for the signer certificate that you are adding. If the certificate was created by a certificate authority, you can use the name of the Certificate Authority as the label. For a self-signed certificate, use the name of the client system for the label. Click OK. The certificate is displayed in the key database file as a signer certificate. Select the newly added signer certificate, and click View/Edit.... Ensure that Set the certificate as a trusted root is selected so that the certificate is marked as a trusted root. Click OK.
10. 11. 12. 13.
Testing SSL access when using server and client authentication

After the LDAP server recognizes the certificate authority that created the clients personal certificate, test SSL access using the following command on the LDAP client:
idsldapsearch -h server_name -Z -K client_keyfile -P keyfile_pwd -N \ client_label -b "" -s base objectclass=*
The command variables are as follows: server_name The DNS host name of the LDAP server. client_keyfile The fully qualified path name of the generated client key ring. keyfile_pwd The password of the generated key ring. client_label The label associated with the key, if any. This field is needed only when the LDAP server is configured to perform server and client authentication. -Z Indicates that SSL is to be used to establish the connection with the LDAP server.
The idsldapsearch command returns the LDAP base information, which includes the suffixes on the LDAP server. Notice that the N parameter indicates the label that was specified when the clients personal certificate was added to the clients key database file. Note: Do not specify the LDAP servers signer certificate label. The N option indicates to GSKit which client certificate is sent to the server when requested. If no label is specified, then the default personal certificate is sent when the server requests the clients certificate. SSL setup is now complete.
509
510
Chapter 24. AIX: Setting up a standby policy server

You can configure a standby server to take over policy server functions in the event of a system failure or unplanned outage. When the policy server goes down, the standby policy server acts as the primary policy server until the primary policy server assumes its original role. In turn, the standby policy server reverts back to a standby role. At any given time, there is only one active policy server and only one shared copy of the policy databases. Tivoli Access Manager supports the use of one standby policy server on supported AIX platforms. In addition, deploying a standby policy server requires the installation and configuration of High Availability Cluster Multiprocessing (HACMP) software, a clustering solution designed to provide high-availability access to business-critical data and application through component redundancy and application failover. This chapter includes the following sections: v Preinstallation requirements on page 512 v HACMP environment scenario on page 513 v Creating a standby policy server environment on page 523 The HACMP scenario is provided as a general guide to show you how to install and configure an HACMP environment for standby policy server capability. After you set up your HACMP environment, follow product-specific instructions about creating a standby policy server within a Tivoli Access Manager secure domain. Scripts and examples are provided for your convenience. For detailed information on clustering and HACMP, see the following Web sites: v http://www.ibm.com/servers/eserver/clusters/software/ v http://www.ibm.com/servers/aix/products/ibmsw/ high_avail_network/ hacmp.html
Rules v You can create one primary policy server and one standby policy server. v Both the primary and standby policy servers must be located on AIX systems that are part of a High Availability Cluster Multiprocessing (HACMP) environment. v Each AIX system must have access to a shared disk array that is configured for data redundancy. v The policy database and the configuration files used by the policy server must be located on a shared disk array. v The registry server, such as IBM Tivoli Directory Server, must be available and installed on a separate system.
511
Before you set up a primary and standby policy server environment, ensure that the following conditions are met: v Ensure that two machines (primary and standby) are at the same maintenance levels, and have similar hardware and performance capabilities. Supported maintenance levels are: For AIX 5.2, Technology Level (TL) 5200-08 or above, Service Pack (SP) 5200-08-02 or above For AIX 5.3, Technology Level (TL) 5300-04 or above, Service Pack (SP) 5200-04-02 or above v Ensure that HACMP 4.5 or higher is installed, configured, and running on both the primary and standby policy server systems. v Ensure that a shared file system is mounted. For example, you can connect an external SSA-based storage tower to both systems, such as the SSA-based 7133 Model T40 storage enclosure. For general instructions about setting up a basic HACMP environment, see the scenario on page 513.
512
HACMP environment scenario

This scenario is just one example of how you might install and configure an HACMP environment for standby policy server capability. In this example scenario, similar to other HACMP environments that provide for standby policy server capability, you must configure the HACMP environment for IP address takeover of the primary systems service IP address as well as for shared access to an external file system. For more complete details about how to configure and set up these environments, refer to the HACMP documents included when you purchased your HACMP product. If you have any service problems involving HACMP, contact IBM Support for these products. This scenario provides instructions for setting up a policy server on each of two AIX systems. The host systems that are used throughout this scenario are as follows: v tucana has a service IP address of 192.168.2.13, a boot IP address of 192.168.2.79, and a standby IP address, which must be on a different subnet from the service and boot IP addresses of 192.168.3.2. These IP addresses require that two network adapters, such as Ethernet adapters, be available on tucana. Only two network adapters are needed because in an HACMP environment the service IP address is activated and the boot IP address is deactivated after the HACMP cluster is started on an HACMP node. v perseus has a service IP address of 192.168.2.14, a boot IP address of 192.168.2.80, and a standby IP address, which must be on a different subnet from the service and boot IP addresses of 192.168.3.3. These IP addresses require that two network adapters, such as Ethernet adapters, be available on perseus. Note: The service and boot IP addresses on each AIX system will use the same network adapter. The standby IP address on each AIX system will use the second network adapter. The primary policy server will be installed and configured on the primary AIX system. The primary host system in this scenario is tucana. The standby policy server will be installed and configured on the other remaining AIX system. The other host system is perseus in this scenario.
513
Hardware and software requirements In this scenario, the following hardware and software are used. Your hardware and softwarerequirements will be different, depending on your configuration. v Two AIX systems with the following hardware: Two Ethernet or Token Ring cards connected and configured to the network A serial cable that is connected from the serial port on one AIX system to the serial port on the other AIX system Note: Each AIX system must be able to ping the IP address of the other AIX system. An SSA adapter card v An SSA-based disk array, such as: IBM 7133 Model T40 storage tower or an IBM 7133 D40 rack mounted enclosure v Three SSA connection cables. Two (one per AIX system) are cabled to the disk array and one is cabled between the two AIX systems v The recommended IBM AIX version and service pack installed on both AIX systems. If you use other versions, the version and service pack level must match on both machines. Use the following scenario to set up a basic HACMP environment on IBM AIX 5.1 and Service Pack 3. 1. Install the AIX operating system using the AIX installation CDs, including all rsct packages and the appropriate service pack. To check the operating system level, type:
oslevel -r
For example, if IBM AIX 5.2 and Service Pack 1 are installed, 520001 will be displayed. 2. Install the separately purchased HACMP Version 4.5 ES/CRM software and any AIX operating system prerequisites that are needed. 3. Update file information by doing the following: a. In the /etc/hosts file on both AIX systems, type the host name and IP address for all your network card connections. For example, if you have four connection network cards between your two systems, your /etc/hosts file must contain lines similar to the following example:
# # # # # # # # # # # # # # # # @(#)47 1.1 src/bos/usr/sbin/netstart/hosts, cmdnet, bos510 7/24/91 10:46 COMPONENT_NAME: TCPIP hosts FUNCTIONS: loopback ORIGINS: 26 27
(C) COPYRIGHT International Business Machines Corp. 1985, 1989 All Rights Reserved Licensed Materials - Property of IBM US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. /etc/hosts
514
# # # # # # # # # # # # # # # #
This file contains the hostnames and their address for hosts in the network. This file is used to resolve a hostname into an Internet address. At minimum, this file must contain the name and address for each device defined for TCP in your /etc/net file. It may also contain entries for well-known (reserved) names such as timeserver and printserver as well as any other host name and address. The format of this file is: Internet Address Hostname # Comments Items are separated by any number of blanks and/or tabs. A # indicates the beginning of a comment; characters up to the end of the line are not interpreted by routines which search this file. Blank lines are allowed.
# Internet Address Hostname # Comments # 192.9.200.1 net0sample # ethernet name/address # 128.100.0.1 token0sample # token ring name/address # 10.2.0.2 x25sample # x.25 name/address 127.0.0.1 loopback localhost # loopback (lo0) name/address 192.168.2.13 tucana 192.168.2.79 tucana-boot 192.168.3.2 tucana-stby 192.168.2.14 perseus 192.168.2.80 perseus-boot 192.168.3.3 perseus-stby
b. Edit the /.rhosts file to ensure that it contains the correct host names. For example:
perseus perseus-boot perseus-stby tucana tucana-boot tucana-stby
c. To set the correct permission, run the following:

chmod 600 /.rhosts
d. Edit the /etc/rc.net file, and add these lines:

no -o thewall=10240 no -o routerevalidate=1 no -o ipqmaxlen=512
4. Configure the HACMP cluster. To do so, consult your HACMP software documentation. Use the Example HACMP configuration as a guide.
Example HACMP configuration

This section provides an example of a typical HACMP configuration for Tivoli Access Manager. This example illustrates SMITTY menu panels that were Used while performing actual test cases. Parts to this example are as follows: v Part 1: Overall HACMP cluster topology on page 516 Describes the overall cluster topology of the HACMP environment, including the names of the nodes, network definitions, and other pertinent information. v Part 2: Cluster resources within HACMP topology on page 518 Describes the cluster resources within the HACMP cluster topology, including the resource groups and the shared file system. v Part 3: Application server definition within HACMP topology on page 522 Describes the application server definition (which is the policy server in this example) within the HACMP cluster topology.
515
Figure 3 illustrates a two system (or two node) configuration sharing an external storage enclosure.
Figure 3. Standby policy server configuration
The primary (tucana) and standby (perseus) policy servers are sharing an SSA-based external storage enclosure. When the primary policy server goes down because of a failover event, such as a network or hardware failure, the HACMP software on the standby system recognizes this event and takes over the service IP address of the primary policy server. The HACMP software also mounts the shared file system on the standby system and starts the standby policy server. The standby policy server remains operational until the HACMP software on the standby system recognizes that the primary system has been restored. At that time, the HACMP software on the primary system does the following: 1. Resumes control of the service IP address associated with the primary system 2. Mounts the shared file system 3. Starts the primary policy server Note: While the HACMP software on the primary system is performing these actions, the HACMP software on the standby system stops the standby policy server, unmounts the shared file system , and relinquishes control of the service IP address of the primary policy server. The following example illustrates an HACMP environment containing a primary and a standby policy server. Before each SMITTY screen output is the hierarchy of menus that you must progress through to display the screen.
Part 1: Overall HACMP cluster topology

SMITTY MENU Hierarchy: HACMP for AIX - Cluster Configuration - Cluster Topology - Show Cluster Topology - Show Cluster Topology
COMMAND STATUS
516
Command: OK
stdout: yes
stderr: no
Before command completion, additional instructions may appear below. [TOP] Cluster Description of Cluster am51bos Cluster ID: 1 There were 2 networks defined: tucanaip, tucanatty1 There are 2 nodes in this cluster NODE perseus: This node has 2 service interface(s): Service Interface perseus: IP address: 192.168.2.14 Hardware Address: Network: tucanaip Attribute: public Service Interface perseus has a possible boot configuration: Boot (Alternate Service) Interface: perseus-boot IP Address: 192.168.2.80 Network: tucanaip Attribute: public Service Interface perseus has 1 standby interfaces Standby Interface 1: perseus-stby IP Address: 192.168.3.3 Network: tucanaip Attribute: public Service Interface perseus-tty1: IP address: /dev/tty1 Hardware Address: Network: tucanatty1 Attribute: serial Service Interface perseus-tty1 has no standby interfaces NODE tucana: This node has 2 service interface(s): Service Interface tucana: IP address: 192.168.2.13 Hardware Address: Network: tucanaip Attribute: public Service Interface tucana has a possible boot configuration: Boot (Alternate Service) Interface: tucana-boot IP Address: 192.168.2.79 Network: tucanaip Attribute: public Service Interface tucana has 1 standby interfaces Standby Interface 1: tucana-stby IP Address: 192.168.3.2 Network: tucanaip Attribute: public Service Interface tucana-tty1: IP address: /dev/tty1 Hardware Address:
517
Network: Attribute:
tucanatty1 serial
Service Interface tucana-tty1 has no standby interfaces
Breakdown of network connections: Connections to network tucanaip Node perseus is connected to network tucanaip by these interfaces: perseus-boot perseus perseus-stby Node tucana is connected to network tucanaip by these interfaces: tucana-boot tucana tucana-stby Connections to network tucanatty1 Node perseus is connected to network tucanatty1 by these interfaces: perseus-tty1 Node tucana is connected to network tucanatty1 by these interfaces: tucana-tty1 [BOTTOM]
Part 2: Cluster resources within HACMP topology

SMITTY MENU Hierarchy: HACMP for AIX - Cluster Configuration - Cluster Resources - Show Cluster Resources - Show Resource Information by Node - Select Node Name - perseus
COMMAND STATUS Command: OK stdout: yes stderr: no
Before command completion, additional instructions may appear below. [TOP] Resource Group Name Node Relationship Participating Node Name(s) Service IP Label Filesystems Filesystems Consistency Check Filesystems Recovery Method Filesystems/Directories to be exported Filesystems to be NFS mounted Network For NFS Mount Volume Groups Concurrent Volume Groups Disks tucanasip cascading tucana perseus tucana /amfs1 fsck sequential /amfs1 amvg
518
Shared Tape Resources AIX Connections Services AIX Fast Connect Services Application Servers Highly Available Communication Links Miscellaneous Data Automatically Import Volume Groups Inactive Takeover Cascading Without Fallback 9333 Disk Fencing SSA Disk Fencing Filesystems mounted before IP configured Resource Group Name Node Relationship Participating Node Name(s) Service IP Label Filesystems Filesystems Consistency Check Filesystems Recovery Method Filesystems/Directories to be exported Filesystems to be NFS mounted Network For NFS Mount Volume Groups Concurrent Volume Groups Disks Shared Tape Resources AIX Connections Services AIX Fast Connect Services Application Servers Highly Available Communication Links Miscellaneous Data Automatically Import Volume Groups Inactive Takeover Cascading Without Fallback 9333 Disk Fencing SSA Disk Fencing Filesystems mounted before IP configured Run Time Parameters: Node Name Debug Level Host uses NIS or Name Server [BOTTOM]
PDMGR false false false false false false perseusip cascading perseus tucana perseus fsck sequential
false false false false false false
perseus high false
SMITTY MENU Hierarchy: HACMP for AIX - Cluster Configuration - Cluster Resources - Show Cluster Resources - Show Resource Information by Node - Select Node Name - tucana

519
Before command completion, additional instructions may appear below. [TOP] Resource Group Name Node Relationship Participating Node Name(s) Service IP Label Filesystems Filesystems Consistency Check Filesystems Recovery Method Filesystems/Directories to be exported Filesystems to be NFS mounted Network For NFS Mount Volume Groups Concurrent Volume Groups Disks Shared Tape Resources AIX Connections Services AIX Fast Connect Services Application Servers Highly Available Communication Links Miscellaneous Data Automatically Import Volume Groups Inactive Takeover Cascading Without Fallback 9333 Disk Fencing SSA Disk Fencing Filesystems mounted before IP configured Resource Group Name Node Relationship Participating Node Name(s) Service IP Label Filesystems Filesystems Consistency Check Filesystems Recovery Method Filesystems/Directories to be exported Filesystems to be NFS mounted Network For NFS Mount Volume Groups Concurrent Volume Groups Disks Shared Tape Resources AIX Connections Services AIX Fast Connect Services Application Servers Highly Available Communication Links Miscellaneous Data Automatically Import Volume Groups Inactive Takeover Cascading Without Fallback 9333 Disk Fencing SSA Disk Fencing Filesystems mounted before IP configured Run Time Parameters: Node Name Debug Level Host uses NIS or Name Server [BOTTOM] tucana high false tucanasip cascading tucana perseus tucana /amfs1 fsck sequential /amfs1 amvg
PDMGR false false false false false false perseusip cascading perseus tucana perseus fsck sequential
520
SMITTY MENU Hierarchy: HACMP for AIX - Cluster Configuration - Cluster Resources - Show Cluster Resources - Show Resource Information by Resource Group - Select Resouce Group Name - perseusip
Before command completion, additional instructions may appear below. Resource Group Name Node Relationship Participating Node Name(s) Service IP Label Filesystems Filesystems Consistency Check Filesystems Recovery Method Filesystems/Directories to be exported Filesystems to be NFS mounted Network For NFS Mount Volume Groups Concurrent Volume Groups Disks Shared Tape Resources AIX Connections Services AIX Fast Connect Services Application Servers Highly Available Communication Links Miscellaneous Data Automatically Import Volume Groups Inactive Takeover Cascading Without Fallback 9333 Disk Fencing SSA Disk Fencing Filesystems mounted before IP configured Run Time Parameters: Node Name Debug Level Host uses NIS or Name Server Node Name Debug Level Host uses NIS or Name Server perseus high false tucana high false perseusip cascading perseus tucana perseus fsck sequential
SMITTY MENU Hierarchy: HACMP for AIX - Cluster Configuration - Cluster Resources
521
- Show Cluster Resources - Show Resource Information by Resource Group - Select Resouce Group Name - tucanasip
Before command completion, additional instructions may appear below. Resource Group Name Node Relationship Participating Node Name(s) Service IP Label Filesystems Filesystems Consistency Check Filesystems Recovery Method Filesystems/Directories to be exported Filesystems to be NFS mounted Network For NFS Mount Volume Groups Concurrent Volume Groups Disks Shared Tape Resources AIX Connections Services AIX Fast Connect Services Application Servers Highly Available Communication Links Miscellaneous Data Automatically Import Volume Groups Inactive Takeover Cascading Without Fallback 9333 Disk Fencing SSA Disk Fencing Filesystems mounted before IP configured Run Time Parameters: Node Name Debug Level Host uses NIS or Name Server Node Name Debug Level Host uses NIS or Name Server tucana high false perseus high false tucanasip cascading tucana perseus tucana /amfs1 fsck sequential /amfs1 amvg
PDMGR false false false false false false
Part 3: Application server definition within HACMP topology

SMITTY MENU Hierarchy: HACMP for AIX - Cluster Configuration - Cluster Resources - Define Application Servers - Change / Show an Application Server
Change Application Server
522
Type or select values in entry fields. Press Enter AFTER making all desired changes. Server Name New Server Name Start Script Stop Script [Entry Fields] PDMGR [PDMGR] [/usr/bin/pd_start start] [/usr/bin/pd_start stop]
Creating a standby policy server environment

To create a standby policy server environment, follow these steps: 1. On both the primary policy server and the standby policy server systems, create an ivmgr user ID, an ivmgr group ID, a tivoli user ID, and a tivoli group ID. Before creating these IDs, ensure that the /etc/security/limits file on each system has the same default settings (where the creation of user and group IDs are concerned). These settings are necessary to ensure that the user and group IDs are created with exactly the same characteristics on both systems. To create these IDs, do one of the following: v Use the SMITTY utility to ensure that both AIX systems use the same number for each ID. For example, both systems must have the same ID number for the ivmgr user ID. In addition, the ID numbers must be different for each of the four IDs. v Create a script similar to the sample shown in Script: Setting UIDs for both the primary and standby systems on page 527. Run this script to set UIDs for ivmgr and tivoli users and groups. For example, if this script was named setivug, the following command would create an ivmgr group with an ID of 250, an ivmgr user with an ID of 251, a tivoli group with an ID of 260, and a tivoli user with an ID of 261.
./setivug 250 251 260 261
Note: Ensure that the four UID values are not being used on either system before attempting to create them. 2. After configuring and starting the HACMP cluster on your two systems, create a directory, such as /share in the shared file system, which is mountable on these systems. For example, create a /share directory on the shared external SSA-based storage tower. To do so, follow these steps: a. Using the system that will serve as the primary policy server, create a /share directory in the shared file system. This shared directory, located in the external SSA-based storage tower, will contain critical information that must be shared between the primary and standby policy servers. b. Create a /share subdirectory named /PolicyDirector (/share/ PolicyDirector). Also ensure that ivmgr is the owner and ivmgr is the group associated with both directories. c. Use SMITTY HACMP menus to simulate an IP takeover scenario. To do so, stop cluster services on the primary policy server machine using the graceful with takeover shutdown mode. When the cluster shutdown completes on the primary policy server, the standby policy server takes over the service IP address of the primary policy server and is able to access the /share and /share/PolicyDirector directories within the shared file system. d. From the standby policy server system, issue the ls l command to validate that both of these directories are associated with the ivmgr user and the ivmgr group.
523
e. Restart the cluster on the primary policy server. After the restart has completed, the service IP address will be restored to the primary policy server system and the shared file system will be mounted on the primary policy server system. 3. On the primary policy server, do the following: a. Install and configure required Tivoli Access Manager components using either the install_ammgr wizard or the native installation method. For instructions, see Chapter 4, Setting up a policy server, on page 137. Figure 4 illustrates the location of key files after the primary policy server is installed and configured.
tucana Primary policy server
PDRTE
/opt/PolicyDirector/etc/pd.conf /opt/PolicyDirector/etc/ivmgrd.conf /opt/PolicyDirector/etc/ivmgrd.conf.obf /var/PolicyDirector/keytab/pd.kdb /var/PolicyDirector/keytab/pd.sth /var/PolicyDirector/keytab/pdcacert.b64 /var/PolicyDirector/keytab/ivmgrd.kdb /var/PolicyDirector/keytab/ivmgrd.sth /var/PolicyDirector/db/master_authzn.db
Figure 4. Primary policy server after initial configuration
b. Stop the primary policy server. c. Edit the /opt/PolicyDirector/etc/ivmgrd.conf file and do the following: 1) Within the [ssl] stanza, change the value of the ssl-io-inactivitytimeout entry to 300. 2) Within the [configuration-database] stanza, update the file= entry to indicate the fully qualified location of the ivmgrd.conf.obf file within the SHARED external file system. For example: file=/share/ PolicyDirector/etc/ivmgrd.conf.obf d. Edit the /opt/PolicyDirector/pd.conf file and change the host name of the primary policy server to match the host name of the service IP interface, which was configured in your HACMP configuration for this system. In the example depicted in HACMP environment scenario on page 513, this host name value was tucana. e. After changes are saved to the configuration files, create a script similar to the sample shown in Script: Linking files and directories on the primary system on page 529. Run this script on the primary policy server to link required files and directories to the shared file system (/share). Figure 5 on page 525 illustrates the location of key files after they have been moved to the shared file system. Note that the standby policy server has not been configured at this point.
524
Figure 5. Primary policy server after incorporating use of the shared file system
f. Restart the primary policy server. g. Verify the directory structure, file location, soft links and file permissions as shown on page 530. 4. On the standby policy server, do the following: a. Install (do not configure) required Tivoli Access Manager components using a native installation utility, such as installp. For instructions, see AIX: Installing the policy server on page 142. b. Ensure that the HACMP cluster is running on this system and validate that the shared external file system (/share/PolicyDirector) is accessible. This is necessary so that the configuration process can access .conf files stored in the file system. For the standby policy server to access this shared external file system, the primary policy server must be shut down. To do so, use the SMITTY HACMP menus to stop cluster services by specifying the graceful with takeover shutdown mode on the primary policy server system. After the cluster has been stopped on this system and after the HACMP failover operation is completed (which should take no more than a minute), verify that the standby policy server system has taken over the service IP address of the primary policy server and that the shared file system is mounted on the standby policy server system. c. Configure the standby policy server using the pdconfig utility. For instructions, see AIX: Installing the policy server on page 142. Note: The primary policy server does not have to be running to configure a standby policy server. However, the registry server that is used by the primary policy server must be available and running on a different system than the primary policy server system. During configuration, the pdconfig utility detects that a policy server configuration already exists. Respond y (Yes) to the following prompts:
A policy server is already configured to this LDAP server. A second policy server may be configured for migration or standby purposes ONLY! Would you like to configure a second policy server to this LDAP server (y/n) [No]? y Use this policy server for standby (y/n) [No]: y
525
When prompted, type the fully qualified location of the ivmgrd.conf file (the existing policy server configuration file). For example, if the shared directory is /share, type the following:
/share/PolicyDirector/ivmgrd.conf
The pdconfig utility places a link to this file in the /opt/PolicyDirector/etc directory and modifies the ivmgrd.conf file to enable standby operation. Note: After successful configuration of the standby policy server, the standby policy server is not started. It will automatically start only after a failover condition is detected by the HACMP software that is running on the standby policy server. Otherwise, serious errors and conflicts can occur if both the primary and the standby policy servers attempt to run in a concurrent manner. d. Create a script similar to the sample shown in Script: Linking from the AIX system files to the shared directory on the standby system on page 532. Run this script to link from the AIX system files to the shared directory. e. Verify the directory structure, file location, soft links and file permissions as shown on page 533. Note: Because both systems share the same directory, the contents of /share/PolicyDirector on the standby server must be identical to the contents shown for the primary server. Configuration of the primary and standby policy servers is now complete. At this point, the HACMP cluster is down on the primary policy server system and up on the standby policy server system. Before testing the policy server failover capabilities, verification must be performed to ensure that the policy server executable is specified in the HACMP configuration as an application server. To verify using the SMITTY utility, select Show Cluster Resources from the HACMP Cluster Resources panel to display the cluster resources. To define an application server, select the =AAdd an Application Server option from the HACMP Define Application Servers panel. After this panel is selected, the start script (/usr/bin/pd_start start) and the stop script (/usr/bin/pd_start stop) for the policy server executable are specified. Figure 6 on page 527 illustrates the location of key files after using a native installation method to configure the standby policy server. Appropriate links to these key files within the shared system are also created.
526
Figure 6. Completed primary/standby policy server environment
After the application server configuration has been verified, it is now possible to fully activate the HACMP primary or standby policy server configuration. To activate this configuration, the HACMP cluster on the primary policy server system must be restarted. This action will start the primary policy server and put the standby policy server in standby mode.
Script: Setting UIDs for both the primary and standby systems
Use a script similar to the following to set UIDs for ivmgr and tivoli users and groups on both the primary and standby policy server systems.
527
#!/bin/ksh # # This script sets the uid values for the ivmgr user and the ivmgr group # to values that are specified on the command line when this script is # executed. In addition, this script defines the tivoli group uid and the # tivoli user uid. # # The first parameter ($1) is the uid for the ivmgr group. The second parameter # ($2) is the uid for the ivmgr user. The third parameter ($3) is the uid # for the tivoli group. The fourth parameter ($4) is for the tivoli user uid. # Before executing this script, insure that the four uid values ARE NOT already # being used on either system. # # Due to the importance of these values, it is ABSOLUTELY necessary on the # system which will run as the Standby Policy Server to set the ivmgr group # uid and the ivmgr user uid to MATCH the corresponding settings for these # entities on the system which is serving as the Primary Policy Server. Also, # since the definition of the ivmgr user has membership in the tivoli group, # then it is also necessary to create the tivoli group as well. Finally, since # the tivoli group contains the tivoli user, then then tivoli user, with the # appropriate uid, must be defined as well. These user/group settings insure # consistency across the two policy servers allowing for each system to take # over the role of the Primary Policy Server when it is appropriate. # Otherwise, the Standby Policy Server will not run or will not even configure # correctly if these values are not the same on BOTH systems. # # Note that this script, setivug, MUST be run BEFORE the Standby Policy Server # is installed. As a matter of fact, it is recommended that this script be run # BEFORE any Access Manager software is installed on either the Primary OR the # Standby Policy server. In this way, all four of these ID's will be consistent # across BOTH systems. # set -e set -x # # Create the ivmgr and tivoli groups with the appropriate uids # mkgroup -A id="$1" ivmgr mkgroup -A id="$3" tivoli x() { LIST= SET_A= for i in "$@" do if [ "$i" = "admin=true" ] then SET_A="-a" continue fi LIST="$LIST \"$i\"" done eval mkuser $SET_A $LIST } # # Now define the ivmgr user uid to be a part of the staff, tivoli, and ivmgr groups. # (Enter the following command on one continuous line.) # x id="$2" pgrp=staff groups=staff,tivoli,ivmgr home=/opt/PolicyDirector shell=/usr/bin/ksh gecos=Policy Director Manager ivmgr # # Now define the tivoli user uid to be a part of the staff and tivoli groups. # (Enter the following command on one continuous line.) # x id="$4" pgrp=staff groups=staff,tivoli home=/home/tivoli shell=/usr/bin/ksh gecos=Owner of Tivoli Common Files tivoli #
528
Script: Linking files and directories on the primary system

Use a script similar to the following to link required files and directories on the primary policy server system.
#!/bin/ksh # # Save a copy of the 3 files below under the .bkp extension cp -p /opt/PolicyDirector/etc/pd.conf /opt/PolicyDirector/etc/pd.conf.bkp cp -p /opt/PolicyDirector/etc/ivmgrd.conf /opt/PolicyDirector/etc/ivmgrd.conf.bkp cp -p /opt/PolicyDirector/etc/ivmgrd.conf.obf /opt/PolicyDirector/etc/ivmgrd.conf.obf.bkp # Move configuration files to shared directory on the external file system mv /opt/PolicyDirector/etc/pd.conf /share/PolicyDirector mv /opt/PolicyDirector/etc/ivmgrd.conf /share/PolicyDirector/ivmgrd.conf mv /opt/PolicyDirector/etc/ivmgrd.conf.obf /share/PolicyDirector/ivmgrd.conf.obf # Link the configuration files back to the original installation directory # and change the ownership and group of these links to ivmgr. ln -s /share/PolicyDirector/pd.conf /opt/PolicyDirector/etc ln -s /share/PolicyDirector/ivmgrd.conf /opt/PolicyDirector/etc ln -s /share/PolicyDirector/ivmgrd.conf.obf /opt/PolicyDirector/etc chown -h ivmgr /opt/PolicyDirector/etc/ivmgrd.conf chown -h ivmgr /opt/PolicyDirector/etc/ivmgrd.conf.obf chown -h ivmgr /opt/PolicyDirector/etc/pd.conf chgrp -h ivmgr /opt/PolicyDirector/etc/ivmgrd.conf chgrp -h ivmgr /opt/PolicyDirector/etc/ivmgrd.conf.obf chgrp -h ivmgr /opt/PolicyDirector/etc/pd.conf # For the keytab, db and lock subdirectories, create a backup of these directories, # move their contents to the shared external file system, and link the files in # these directories back to the original installation directory. cp -R -p /var/PolicyDirector/keytab /var/PolicyDirector/keytab_bkp mv /var/PolicyDirector/keytab /share/PolicyDirector ln -s /share/PolicyDirector/keytab /var/PolicyDirector cp -R -p /var/PolicyDirector/db /var/PolicyDirector/db_bkp mv /var/PolicyDirector/db /share/PolicyDirector ln -s /share/PolicyDirector/db /var/PolicyDirector cp -R -p /var/PolicyDirector/lock /var/PolicyDirector/lock_bkp mv /var/PolicyDirector/lock /share/PolicyDirector ln -s /share/PolicyDirector/lock /var/PolicyDirector # Change chown -h chown -h chown -h chgrp -h chgrp -h chgrp -h the ownership and group of these links to ivmgr. ivmgr /var/PolicyDirector/db ivmgr /var/PolicyDirector/keytab ivmgr /var/PolicyDirector/lock ivmgr /var/PolicyDirector/db ivmgr /var/PolicyDirector/keytab ivmgr /var/PolicyDirector/lock
529
Example: Verifying the primary server directories, soft links, and permissions
In the /opt/PolicyDirector/etc directory: ==> ls -l total 3714 -rw-r-----rw-r--r--rw-r-----rw-r----drw-rw----rw-r-----rw-r-----rw-r----lrwxrwxrwx -rw-r----lrwxrwxrwx -rw-r-----rw-r-----rw-r--r--rw-r-----rw-r--r--rw-r--r-lrwxrwxrwx -rw-r--r--rw-r-----rw-r-----rw-r-----rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r-----rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--
1 1 1 1 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr
ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr
1682440 Oct 10 11:48 AccessManagerBaseAutoTraceDatabaseFile.obfuscated 2703 Oct 14 13:16 activedir_ldap.conf 2703 Jul 14 14:21 activedir_ldap.conf.template 18195 Jul 7 10:46 additional_licenses.txt 512 Dec 31 1969 blades 5890 Jan 24 2003 config 718 May 13 11:40 domino.conf.template 114 Oct 10 11:48 ffdc 36 Oct 15 13:45 ivmgrd.conf -> /amfs1/PolicyDirector/ivmgrd.conf 16949 Oct 14 13:19 ivmgrd.conf.bkp 40 Oct 15 13:45 ivmgrd.conf.obf -> /amfs1/PolicyDirector/ivmgrd.conf.obf 64 Oct 14 13:19 ivmgrd.conf.obf.bkp 16731 Oct 10 11:29 ivmgrd.conf.template 2319 Oct 14 13:18 ldap.conf 2187 Oct 10 11:21 ldap.conf.template 36544 Sep 29 12:45 novschema.def 26260 Sep 29 12:45 nsschema.def 32 Oct 15 13:45 pd.conf -> /amfs1/PolicyDirector/pd.conf 3736 Oct 14 13:20 pd.conf.bkp 3645 Oct 10 11:29 pd.conf.template 5576 Oct 10 10:05 pdbackup.lst 7448 Oct 10 10:05 pdinfo.lst 5354 Oct 14 13:19 pdmgrd_routing 5255 Oct 10 11:36 pdmgrd_routing.template 1492 Oct 14 12:49 pdversion.dat 1492 Aug 18 11:37 pdversion.dat.template 1466 Jan 24 2003 product 5827 Oct 14 13:16 routing 5674 Oct 10 11:36 routing.template 14035 Sep 29 12:45 secschema.def 11236 Jan 24 2003 secschema390.def 1 Oct 14 12:49 startup 1 Jun 24 10:48 startup.template 1233 Jan 24 2003 upgrade3.7_ibm_schema.def 1938 Jan 24 2003 upgrade3.7_ibm_schema390.def 1744 Jan 24 2003 upgrade3.7_netscape_schema.def
530
In the /var/PolicyDirector directory: ==> ls -Rl total 7 drwxrwxr-x lrwxrwxrwx drwxrwxr-x lrwxrwxrwx drwxr-xr-x lrwxrwxrwx drwxr-x--drwxrwxrwx drwxrwxr-x drwxr-x--./audit: total 0 ./db_bkp: total 1056 -rw-------
2 1 2 1 2 1 2 3 2 2
ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr
512 27 512 31 512 29 512 512 512 512
Dec Oct Oct Oct Oct Oct Dec Oct Dec Oct
31 15 14 16 16 15 31 16 31 14
1969 13:45 13:19 15:48 15:42 13:45 1969 13:40 1969 12:49
audit db -> /amfs1/PolicyDirector/db db_bkp keytab -> /amfs1/PolicyDirector/keytab keytab_bkp lock -> /amfs1/PolicyDirector/lock lock_bkp log pdbackup pdmgrd
1 ivmgr
ivmgr
540672 Oct 15 13:45 master_authzn.db
./keytab_bkp: total 35 -rw------- 1 -rw------- 1 -rw-rw-rw- 1 -rw-rw-rw- 1 -rw------- 1 ./lock_bkp: total 0
ivmgr ivmgr root root root
ivmgr ivmgr system system system
10080 129 5080 129 1070
Oct Oct Oct Oct Oct
14 14 14 14 14
13:19 13:18 13:19 13:19 13:18
ivmgrd.kdb ivmgrd.sth pd.kdb pd.sth pdcacert.b64
In the SHARED directory, /share/PolicyDirector, on the external file system: ==> ls -Rl total 80 drwxrwxr-x -rw-r-----rw-r----drwxr-xr-x drwxr-x---rw-r--r-./db: total 1056 -rw------./keytab: total 64 -rw-------rw-------rw-rw-rw-rw-rw-rw-rw------./lock: total 0
2 1 1 2 2 1
ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr
ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr
512 16950 64 512 512 3736
Oct Oct Oct Oct Dec Oct
14 16 16 16 31 14
13:19 13:32 13:32 15:42 1969 13:20
db ivmgrd.conf ivmgrd.conf.obf keytab lock pd.conf
1 ivmgr
ivmgr
540672 Oct 16 16:18 master_authzn.db
1 1 1 1 1
ivmgr ivmgr root root root
ivmgr ivmgr system system system
10080 129 5080 129 1070
Oct Oct Oct Oct Oct
14 14 14 14 14
13:19 13:18 13:19 13:19 13:18
ivmgrd.kdb ivmgrd.sth pd.kdb pd.sth pdcacert.b64
531
Script: Linking from the AIX system files to the shared directory on the standby system
Use a script similar to the following to link from the AIX system files to the shared directory on the standby policy server system.
#!/bin/ksh # # # # # # # The Standby Policy Server must use the same configuration files as the Primary Policy Server. For this reason, the following links must be created in order for the Standby Policy Server to function correctly. Note the Access Manager configuration software will automatically create a link to the ivmgrd.conf file that is stored in the shared external file system.
# Backup pd.conf to pd.bkp and link to pd.conf in the shared external file system mv /opt/PolicyDirector/etc/pd.conf /opt/PolicyDirector/etc/pd.conf.bkp ln -s /share/PolicyDirector/pd.conf /opt/PolicyDirector/etc # Backup keytab, db and lock directories and link the keytab, db, and lock # directories to their corresponding files in the shared external file system. mv /var/PolicyDirector/keytab /var/PolicyDirector/keytab_bkp ln -s /share/PolicyDirector/keytab /var/PolicyDirector mv /var/PolicyDirector/db /var/PolicyDirector/db_bkp ln -s /share/PolicyDirector/db /var/PolicyDirector mv /var/PolicyDirector/lock /var/PolicyDirector/lock_bkp ln -s /share/PolicyDirector/lock /var/PolicyDirector # Change chown -h chown -h chown -h chown -h chgrp -h chgrp -h chgrp -h chgrp -h the group and ownership of the five links above to ivmgr. ivmgr /opt/PolicyDirector/etc/pd.conf ivmgr /var/PolicyDirector/db ivmgr /var/PolicyDirector/keytab ivmgr /var/PolicyDirector/lock ivmgr /opt/PolicyDirector/etc/pd.conf ivmgr /var/PolicyDirector/db ivmgr /var/PolicyDirector/keytab ivmgr /var/PolicyDirector/lock
532
Example: Verifying standby server directories, soft links and permissions

In the /opt/PolicyDirector/etc directory: ==> ls -l total 3668 -rw-r-----rw-r--r--rw-r-----rw-r----drw-rw----rw-r-----rw-r-----rw-r----lrwxrwxrwx lrwxrwxrwx -rw-r-----rw-r--r--rw-r-----rw-r--r--rw-r--r-lrwxrwxrwx -rw-r--r--rw-r-----rw-r-----rw-r-----rw-r--r--rw-r--r--rw-r--r--rw-r-----rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--
1 1 1 1 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr root root ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr ivmgr
ivmgr 1682440 ivmgr 2703 ivmgr 2703 ivmgr 18195 ivmgr 512 ivmgr 5890 ivmgr 718 ivmgr 114 system 36 system 40 ivmgr 16731 ivmgr 2319 ivmgr 2187 ivmgr 36544 ivmgr 26260 ivmgr 32 ivmgr 3741 ivmgr 3645 ivmgr 5576 ivmgr 7448 ivmgr 5255 ivmgr 1492 ivmgr 1492 ivmgr 1466 ivmgr 5810 ivmgr 5674 ivmgr 14035 ivmgr 11236 ivmgr 1 ivmgr 1 ivmgr 1233 ivmgr 1938 ivmgr 1744
Oct Oct Jul Jul Dec Jan May Oct Oct Oct Oct Oct Oct Sep Sep Oct Oct Oct Oct Oct Oct Oct Aug Jan Oct Oct Sep Jan Oct Jun Jan Jan Jan
10 16 14 07 31 24 13 10 16 16 10 16 10 29 29 16 16 10 10 10 10 16 18 24 16 10 29 24 16 24 24 24 24
11:48 13:26 14:21 10:46 1969 2003 11:40 11:48 13:32 13:32 11:29 13:31 11:21 12:45 12:45 13:36 13:32 11:29 10:05 10:05 11:36 13:27 11:37 2003 13:27 11:36 12:45 2003 13:27 10:48 2003 2003 2003
AccessManagerBaseAutoTraceDatabaseFile.obfuscated activedir_ldap.conf activedir_ldap.conf.template additional_licenses.txt blades config domino.conf.template ffdc ivmgrd.conf -> /amfs1/PolicyDirector/ivmgrd.conf ivmgrd.conf.obf -> /amfs1/PolicyDirector/ivmgrd.conf.obf ivmgrd.conf.template ldap.conf ldap.conf.template novschema.def nsschema.def pd.conf -> /amfs1/PolicyDirector/pd.conf pd.conf.bkp pd.conf.template pdbackup.lst pdinfo.lst pdmgrd_routing.template pdversion.dat pdversion.dat.template product routing routing.template secschema.def secschema390.def startup startup.template upgrade3.7_ibm_schema.def upgrade3.7_ibm_schema390.def upgrade3.7_netscape_schema.def
533
In the /var/PolicyDirector directory: ==> ls -Rl total 7 drwxrwxr-x lrwxrwxrwx drwxrwxr-x lrwxrwxrwx drwxrwxrwx lrwxrwxrwx drwxr-x--drwxrwxrwx drwxrwxr-x drwxr-x--./audit: total 0 ./db_bkp: total 0 ./keytab_bkp: total 0 ./lock_bkp: total 0
2 1 2 1 2 1 2 2 2 2
512 27 512 31 512 29 512 512 512 512
Dec Oct Dec Oct Dec Oct Dec Dec Dec Oct
31 16 31 16 31 16 31 31 31 16
1969 13:36 1969 13:36 1969 13:36 1969 1969 1969 13:24
audit db -> /amfs1/PolicyDirector/db db_bkp keytab -> /amfs1/PolicyDirector/keytab keytab_bkp lock -> /amfs1/PolicyDirector/lock lock_bkp log pdbackup pdmgrd
534

This example scenario explains how to set up the proxy environment shown in Figure 7 when using Tivoli Access Manager. This example evenly distributes the Directory Information Tree (DIT) across two Tivoli Directory Server servers (Server A and Server B) based on a hash of the Relative Distinguished Name (RDN). Because the Tivoli Directory Server proxy server handles the routing of requests to the servers, no referrals are used. LDAP client applications, such as Tivoli Access Manager, need only be aware of the Tivoli Directory Server proxy server. Client applications never have to authenticate directly with Server A or Server B. The Tivoli Directory Server proxy server (Proxy), is configured to assist with handling the distribution of the DIT and to make the distribution of the data transparent to applications that use the data.
sch
sch
Proxy
a em
/AC
Ls
Server A
em
a/A
CL
Server B
Figure 7. Tivoli Directory Server proxy environment
This section describes: v Configuring the Tivoli Directory Server proxy v Configuring Tivoli Access Manager to use the proxy on page 543 v Unconfiguring Tivoli Access Manager from the proxy on page 545 For more comprehensive information on configuring the Tivoli Directory Server proxy, such as using the command line interfaces, see the IBM Tivoli Directory Server Version 6.0 Administration Guide. If you already have the Tivoli Directory Server proxy configured for use with Tivoli Access Manager, you can continue with Configuring Tivoli Access Manager to use the proxy on page 543. Note: In this section, proxy and proxy server refer to the Tivoli Directory Server proxy and not to the Tivoli Access Manager policy proxy server.
Configuring the Tivoli Directory Server proxy

The Tivoli Directory Server proxy server is configured with its own schema. Ensure that the proxy server is configured with the same schema as the back-end servers for which it is acting as the proxy. The Tivoli Directory Server version 6.1 includes the schema for IBM Tivoli Access Manager for e-business. Assuming that the proxy
535
server and each of the back-end servers is also Tivoli Directory Server version 6.1, the schema is already in place to support Tivoli Access Manager. The Tivoli Directory Server proxy server must also be configured with partition information, which determines how the data is distributed between the back-end servers. In this example the data within the subtree is split based on the hash value of the RDN. Hashing is only supported on the RDN at one level in the tree under a container. Nested partitions are allowed. In the case of a compound RDN the entire normalized compound RDN is hashed. The hash algorithm assigns an index value to the DN of each entry. This value is then used to distribute the entries across the available servers. Notes: 1. The parent entries across multiple servers must remain synchronized. The LDAP administrator must maintain the parent entries. 2. ACLs must be defined at the partition base level on each server. 3. The number of partitions and the partition level are determined when the Tivoli Directory Server proxy server is configured and when the data is split. There is no way to expand or reduce the topology without re-partitioning. Entries that exist at the base of a partition, for example o=ibm,c=us, cannot be modified through the Tivoli Directory Server proxy server (Proxy). The proxy server can return one of these entries during a search. The proxy searches for duplicates on the back-end servers (Server A, Server B). Any entry that is returned is a random entry (either Server A or Server B).
Type of configuration information

In a distributed directory, the following configuration information must be kept synchronized among the servers: Subtree policies ACLs are currently the only type of subtree policy. ACLs are honored locally within a server only. When data is split across a flat container each server contains the parent entry. If ACLs are defined on the parent entry, they must be defined on each of the parent entries. ACLs defined at the parent level or below must not have any dependencies on entries above the parent entry in the tree. The server does not enforce ACLs defined on another server. During setup, exact copies of the entire parent entry are added to each server when the ddsetup command is used; otherwise, the user must add copies of the entire parent entry to the server. After initial configuration, if the parent entry has ACLs that are defined on it, each server has the same ACLs for the entries below the parent. Without using the Tivoli Directory Server proxy server, any change that is made to the parent entries after initial configuration have to be sent to each server that contains the parent entry. The administrator must keep the parent entries, including the ACLs on the parent, synchronized among the servers. Global policies, including schema and password policy The cn=pwdpolicy subtree, cn=ibmpolicies subtree, and cn=schema subtree store global configuration information and must be replicated among the servers in a distributed directory. If any of the servers have a replica, set the gateway replication agreements under the cn=ibmpolicies subtree so that the change will be passed on to its individual replica. With the cn=ibmpolicies replication agreement, the cn=schema and cn=pwdpolicy subtrees are automatically replicated. Global policies include the global administration group entry that is stored under cn=ibmpolicies.
536
Synchronizing server instances

When you create a new directory server instance and you want to use a distributed directory, you must cryptographically synchronize the server instances to obtain the best performance. If you are creating a directory server instance that must be cryptographically synchronized with an existing directory server instance, you must synchronize the server instances before you do any of the following tasks: v Start the second server instance. v Run the idsbulkload command from the second server instance. v Run the idsldif2db command from the second server instance. See the IBM Tivoli Directory Server: Administration Guide for information about synchronizing directory server instances.
Creating server instances

In this example, data under o=ibm,c=us is split across two servers (Server A and Server B). The Tivoli Directory Server proxy server (Proxy) is configured to hash RDN values immediately after o=ibm,c=us among Server A and Server B, and the RDN values, which are more than one away from o=ibm,c=us, map to the same server as values immediately after o=ibm,c=us. For example, cn=test,o=ibm,c=us and cn=user1,cn=test,o=ibm,c=us always map to the same server. Server A holds all the entries with a hash value of 1, and Server B holds all the entries with a hash value of 2. To create these server instances, perform the following steps: 1. Create three directory server instances on three separate systems (Proxy, Server A, Server B). Follow the instructions in the IBM Tivoli Directory Server: Administration Guide to use the idsicrt tool. 2. Before starting the Server B copy the directory_instance\etc\ibmslapddir.ksf file from Server A to Server B. Copying this file allows the two server instances to be cryptographically synchronized. Configure all three instances into the Web Administration Tool. Log in to Server A. Start the server in Configuration Only Mode. Select Server administration Manage server properties. Select the Suffixes property. In the Suffix DN field, type: o=ibm,c=us and click Add. Repeat this process for as many suffixes as you want to add. When you are finished click Apply to save your changes without exiting, or click OK to apply your changes and exit. 11. Repeat steps 5 to 10 for Server B. 3. 4. 5. 6. 7. 8. 9. 10.
Global administration group

The global administration group is a way for the directory administrator to delegate administrative rights in a distributed environment to the database back-end. Global administrative group members are users that are assigned the same set of privileges as the administrative group with regard to access entries in the database back-end and have complete access to the directory server back-end.
537
All global administrative group members have the same set of privileges. Global administrative group members: v Have no privileges or access rights to any data or operations that are related to the configuration settings of the directory server. The configuration settings are commonly called the configuration back-end. v Have no privileges or access rights to any schema data. v Have no access to the audit log. Therefore, local administrators can use the audit log to monitor global administrative group member activity for security purposes.
Creating a user entry for membership in the global administrators group

To create a user entry for membership, perform the following steps: 1. Log on to Server A through the Web Administration Tool. Use this server as the partition for cn=ibmpolicies 2. Start the server, if it is not already running. 3. From the navigation pane, expand Directory management. 4. Click Add an entry. 5. From the Structural object classes menu, select person. 6. Click Next. 7. Click Next to skip the Select auxiliary object classes window. 8. 9. 10. 11. 12. 13. In the Relative DN field, type: cn=manager In the Parent DN field, type: cn=ibmpolicies In the cn field, type: manager In the sn field, type: manager Click the Optional attributes tab. In the userPassword field, type the password.
14. Click Finish.
Adding user entries to the global administration group

To add the cn=manager user to the global administration group, perform the following steps: 1. In the navigation pane, click Manage entries. 2. Select the cn=ibmpolicies radio button and then click Expand. 3. Select the globalGroupName=GlobalAdminGroup radio button. From the Select Action menu, click Manage Members and then click Go. 4. In the member field, type cn=manager,cn=ibmpolicies and click Add. The following message is displayed: You have not loaded entries from the server. Only your changes will be displayed in the table. Do you want to continue? 5. Click OK. The cn=manager,cn=ibmpolicies member is displayed in the table. 6. Click OK. The cn=manager user is now a member of the global administration group.
Configuring the Tivoli Directory Server proxy server

If the server, which you are configuring as a proxy server, contains the entry data to be distributed across the directory, you must extract the entry data into an LDIF file before you configure the server.
538
Note: After the Tivoli Directory Server server is configured as a Tivoli Directory Server proxy server, you cannot access the data that is contained in its RDBMS. The Tivoli Directory Server proxy server does not have an RDBMS back-end and cannot take part in the replication. If you need to access the data in its RDBMS, you can either reconfigure the server so that it is not a Tivoli Directory Server proxy or you can create a new directory server instance that points to the RDBMS as its database. To configure a Tivoli Directory Server proxy server, perform the following steps: 1. Log in to the server that you are going to use as the Tivoli Directory Server proxy server as the local LDAP administrator (for example, cn=root). 2. 3. 4. 5. 6. 7. 8. 9. Start the server in Configuration Only Mode. From the navigation pane, expand Proxy administration. Click Manage proxy properties. Select Configure as proxy server check box. In the Suffix DN field, type cn=ibmpolicies and click Add. In the Suffix DN field, type o=ibm,c=us and click Add. In the Suffix DN field, type cn=pwdpolicy and click Add. Click OK to save your changes and return to the Introduction window.
Note: You must log out from the Web Administration Tool, and log on again. Doing so updates the navigation pane. If you do not log off and log on again, the navigation pane is not updated for a Tivoli Directory Server proxy server. The Tivoli Directory Server proxy server is configured with its own schema. Ensure that the back-end servers and the proxy server are configured with the same schema. If the proxy server and the back-end server use Tivoli Directory Server, version 6.1, the schema is already in place to support Tivoli Access Manager.
Adding back-end servers to the proxy server

To add back-end servers to the Tivoli Directory Server proxy server, perform the following steps: 1. Log back into the Tivoli Directory Server proxy server (Proxy) as the local LDAP administrator (for example, cn=root). 2. From the navigation pane, click Proxy administration. 3. Click Manage back-end directory servers, and then click Add. 4. In the Hostname field, type the host name for Server A. 5. In the Port field, type the port number for Server A (for this example, all servers use 389). 6. In the Connection pool size field, type the number of connections that the proxy server can have with the back-end server. The minimum value is 1 and the maximum value is 100. For this example, set the value to 5. 7. In the Authentication method field, select Simple and click Next. 8. The proxy server binds to the back-end server as the local administrator for the back-end server. Type the LDAP administration DN for the back-end server in the Bind DN field (for example, cn=root). 9. Specify and confirm the password for the administration DN that you specified in step 8 in the Bind password fields. 10. Click Finish.
539
11. Repeat steps 3 to 10 for Server B. 12. When you are finished, click Close to save your changes and return to the Introduction window. 13. Ensure that all back-end servers are now started in normal mode (not in Configuration Only Mode).
Partitioning to back-end servers

The Tivoli Directory Server proxy server must be configured with partition information. This information determines how data is distributed among the back-end servers. To partition a Tivoli Directory Server proxy server to use back-end servers, perform the following tasks: v Synchronize global policies v Divide the data into partitions v Assign partition index values to the server instances v Instantiate the suffix object
Synchronizing global policies

These steps set up cn=ibmpolicies as a single partition. A single partition is necessary to enable you to synchronize the global policies on all of the servers. Note: Schema modifications are not replicated by or to the Tivoli Directory Server proxy server. Any schema updates need to be entered on each Tivoli Directory Server proxy server manually. To synchronize global policies, perform the following steps: 1. From the navigation pane, click Manage partition bases. 2. On the Partition bases table, click Add. 3. In the Partition base DN field, type: cn=ibmpolicies 4. In the Number of partitions field, type: 1 Note: A value greater than 1 for cn=ibmpolicies and cn=pwdpolicy is not supported. Click OK. Select the cn=ibmpolicies radio button Click View servers and then verify that cn=ibmpolicies is displayed in the Partition base DN field. In the Back-end directory servers for partition base table, click Add. From the Add Back-end directory server menu, select Back-end directory server Server A.
5. 6. 7. 8. 9.
10. In the Partition index field, type: 1 11. Click OK. Doing this 12. Repeat steps 1 to 11 for cn=pwdpolicy. Synchronizing global policies lets you have the global administration group member entry on a single back-end server instead of having to create it on each of the back-end servers.
540
Dividing the data into partitions

To divide the data in the subtree o=ibm,c=us into two partitions, perform the following steps: 1. On the Partition bases table, click Add. 2. In the Partition base DN field, type: o=ibm,c=us 3. In the Number of partitions field, type 2 and click OK.
Assigning partition index values to the servers

To assign a partition value to each of the servers, perform the following steps: 1. Select the o=ibm,c=us radio button. 2. Click View servers and then verify that o=ibm,c=us is displayed in the Partition base DN field. 3. In the Back-end directory servers for partition base table, click Add 4. From the Add Back-end directory server menu, select Back-end directory server Server A. 5. Ensure that 1 is displayed in the Partition index field. 6. Click OK. 7. In the Back-end directory servers for partition base table, click Add 8. From the Add Back-end directory server menu, select Back-end directory server Server B. 9. Ensure that 2 is displayed in the Partition index field. Note: This number is automatically increased for you. You can manually change the partition index number, but the number cannot exceed the actual number of partitions for the base. For example, you cannot use 3 as a partition index if the partition base has only two partitions. Duplicate partition indexes are only allowed on servers that participate in replication on that subtree. 10. Click OK. 11. When you are finished, click Close. 12. Restart the Tivoli Directory Server proxy server for the changes to take effect.
Instantiating the suffix object

If the partition created on the back-end servers is created at the suffix (as they are in this example), you should ensure that the object for the suffix is instantiated on each back-end server. To use the Web Administration Tool to create the object for the suffix used in this example (o=ibm,c=us) on each back-end server, perform the following steps: 1. Log in to Server A as the local LDAP administrator (for example cn=root). 2. From the navigation pane, click Directory management. 3. Then select Add an entry. 4. In the Add an entry menu, scroll down to highlight organization in the Structural object classes list box. 5. Click on Next. 6. There are no auxiliary objectclasses needed for this object and so to skip the Select auxiliary object classes choice, click Next. 7. In the Relative DN field, type: o=ibm,c=us 8. Leave the Parent DN blank, because this object occurs at the suffix. 9. Fill in the value of the o attribute (for organization) as ibm.
541
10. When you are finished, click Finish to create the object. 11. Repeat steps 1 to 10 for Server B. At this point, the suffix and corresponding object exists on each back-end server. You can verify that the object can be searched by using the idsldapsearch command against any of the three servers (Server A, Server B or Proxy) with the following command:
idsldapsearch -h hostname -D local_ldap_administrator -w password \ -b "o=ibm,c=us" -s base "objectclass=*"
When this search is performed against the Tivoli Directory Server proxy server and because the object exists in each partition, the proxy server randomly selects from which back-end server to acquire the requested object.
Setting up a proxy environment for Tivoli Access Manager

Tivoli Access Manager stores its metadata within a required suffix called secAuthority=Default. Metadata includes information that is used to track user and group status information specific to Tivoli Access Manager. When using a proxy, the secAuthority=Default object itself cannot be modified using the proxy because the object at a proxy partition split point cannot be modified through the proxy. Therefore, Tivoli Access Manager cannot be configured directly through the proxy because Tivoli Access Manager must modify the secAuthority=Default object during configuration. In a proxy environment, the administrator should decide on which back-end server the secAuthority=Default subtree will be hosted and set up that back-end server and the proxy partition information to reflect that topology. This example configures Server A to host the secAuthority=Default subtree. Data under a proxy partition split point (for example, o=ibm,c=us) is hashed to determine which back-end server has the subtree. In this example, Proxy is configured to hash RDN values immediately after o=ibm,c=us among two servers. This also means the RDN values more than 1 away from o=ibm,c=us will map to the same server as values immediately after o=ibm,c=us. For this reason, it is usually more advantageous to configure the proxy with a single partition for the secAuthority=Default suffix. If you want to distribute the Tivoli Access Manager metadata within the secAuthority=Default suffix among multiple back-end servers, it is best to split the partition below the cn=Users,secAuthority=Default container. Entries are made on behalf of each user defined, below the cn=Users,secAuthority=Default container and therefore splitting this user information can help distribute the data more evenly across the back-end servers. This example will not distribute the data but instead maintain the entire secAuthority=Default subtree within Server A.
Adding the Tivoli Access Manager suffix to the proxy

To configure the Tivoli Access Manager secAuthority=Default suffix for use by the proxy, perform the following steps: 1. Log in to Server A as the local LDAP administrator (for example cn=root). 2. Select Server administration Manage server properties. Select the Suffixes property. 3. In the Suffix DN field, type secAuthority=Default and click Add. 4. When you are finished, click Apply to save your changes without exiting or click OK to apply your changes and exit.
542
5. The suffix will not be available until the server is restarted. In the navigation pane, select Server administration and then select Start/stop/restart server. Ensure the Start/restart in configuration only mode check box is not selected and then click Restart. After a message is displayed that the restart request was sent, go to Server administration and check the status of the server. Wait until the server has restarted successfully and is currently running before continuing. 6. Log in to Proxy as the local LDAP administrator (for example cn=root). 7. From the navigation pane, expand Proxy administration. 8. On the Proxy administration page, click Manage proxy properties. 9. In the Suffix DN field, type secAuthority=Default and click Add. 10. Click OK to save your changes and return to the Introduction window. 11. From the navigation pane, click Proxy administration and then click Manage partition bases. 12. From the Manage partition bases menu, click Add. 13. In the Partition base DN field, type: secAuthority=Default 14. In the Number of partitions field, type: 1 15. In the Partition bases table, select the secAuthority=Default radio button. 16. Click View servers and then verify that secAuthority=Default is displayed in the Partition base DN field. 17. In the Back-end directory servers for partition base table, click Add. 18. From the Add Back-end directory server menu, click Back-end directory server Server A. 19. Ensure that 1 is displayed in the Partition index field and click OK. 20. When you are finished, click Close. 21. Restart Proxy for the changes to take effect.
Configuring Tivoli Access Manager to use the proxy

After the Tivoli Directory Server proxy server and back-end servers are configured with the Directory Information Tree (DIT) partitioning setup, Tivoli Access Manager can be configured to use the proxy. The proxy server provides a unified view of the directory and shields the LDAP application (Tivoli Access Manager for example) from having to be aware of the DIT partitioning. When configured to use the Tivoli Directory Server proxy server, Tivoli Access Manager is only aware of the proxy and performs all operations through the proxy, as if it represented the entire DIT namespace. To provide failover support, multiple Tivoli Directory Server proxy servers can also be configured. See the IBM Tivoli Directory Server: Administration Guide for information about configuring multiple Tivoli Directory Server proxy servers to provide failover support. When configuring multiple proxy servers to provide failover support, Tivoli Access Manager should be configured to treat each of the proxy servers as a directory server replica. The example scenario described here, assumes a single proxy. Because Tivoli Access Manager cannot be configured directly to the Tivoli Directory Server proxy server, Tivoli Access Manager must first be configured to the back-end server that hosts the secAuthority=Default subtree. When configuring the Access Manager Runtime component for use with this back-end server, select LDAP as the registry type. When the pdconfig utility requests the LDAP hostname, type the host name and LDAP port number of Server A (the
543
back-end server that hosts the secAuthority=Default subtree); do not type the host name of the Tivoli Directory Server proxy server (Proxy). Configure SSL information for setting up an SSL connection with Server A, if SSL is to be used. When using SSL, Proxy needs to be configured with a server certificate that is generated by the same certificate authority (CA) that was used to create the server certificate for Server A. Specify the LDAP DN (for example cn=root) and the LDAP administrator password for Server A. After the Tivoli Access Manager policy server is configured successfully to the back-end server (Server A), you can then retarget the Tivoli Access Manager policy server system to the Tivoli Directory Server proxy server. Exit the pdconfig utility.
Redirecting the policy server to the proxy

To retarget the Tivoli Access Manager policy server system to the proxy, stop the policy server by using the pd_start stop command on UNIX or by using Windows Services. Edit the policy server ldap.conf and pd.conf configuration files by using the pdadmin config command. Complete the following steps: 1. Start the pdadmin utility. 2. Login to the local system with the login l command. 3. After locally logged in, change the value of the host and port in the configuration files to specify the host name and port of the Tivoli Directory Server proxy server with the following commands: For UNIX:
config modify keyvalue set /opt/PolicyDirector/etc/ldap.conf \ ldap host proxy_hostname config modify keyvalue set /opt/PolicyDirector/etc/ldap.conf \ ldap port proxy_port config modify keyvalue set /opt/PolicyDirector/etc/pd.conf \ pdrte user-reg-server proxy_hostname config modify keyvalue set /opt/PolicyDirector/etc/pd.conf \ pdrte user-reg-host proxy_hostname config modify keyvalue set /opt/PolicyDirector/etc/pd.conf \ pdrte user-reg-hostport proxy_port
For Windows: Note: This example assumes that Tivoli Access Manager is installed to the default location. Change the following commands to match the installation location for your system if necessary.
config modify keyvalue set \ "c:\Program Files\Tivoli\Policy Director\etc\ldap.conf" \ ldap host proxy_hostname config modify keyvalue set \ "c:\Program Files\Tivoli\Policy Director\etc\ldap.conf" \ ldap port proxy_port config modify keyvalue set \ "c:\Program Files\Tivoli\Policy Director\etc\pd.conf" \ pdrte user-reg-server proxy_hostname config modify keyvalue set \ "c:\Program Files\Tivoli\Policy Director\etc\pd.conf" \ pdrte user-reg-host proxy_hostname config modify keyvalue set \ "c:\Program Files\Tivoli\Policy Director\etc\pd.conf" \ pdrte user-reg-hostport proxy_port
where: proxy_hostname The host name of the Tivoli Directory Server proxy server.
544
proxy_port The port number of the Tivoli Directory Server proxy server. 4. After the configuration files are modified, the policy server can be restarted using the pd_start start utility for UNIX or using Windows Services. For additional information about these commands and utilities, see the IBM Tivoli Access Manager for e-business: Command Reference.
Setting access controls for the proxy

As stated earlier, access control lists (ACLs) cannot be managed from the Tivoli Directory Server proxy server. When a proxy server is used, it is the back-end server that enforces access control. The LDAP administrator is responsible to ensure that the proper ACLs are created on each of the back-end servers if the ACLs exist on the top-level object of the partition split point. Tivoli Access Manager must have proper access control to allow it to manage users and groups within the suffixes where user and group definitions are maintained. To set the necessary ACLs on the back-end servers to allow Tivoli Access Manager to manage the partition suffixes, use the Tivoli Access Manager ivrgy_tool utility with the add-acls parameter. Complete the following steps: 1. Run the ivrgy_tool utility from any system where the Access Manager Runtime component is installed, for example the system where the policy server is installed. 2. To apply the proper ACLs on each of the back-end servers, run the following command:
ivrgy_tool -h backend_host -p backend_port -D ldap_admin_DN \ -w ldap_admin_pwd -d [-Z] [-K ssl_keyfile] [-P ssl_keyfile_pwd] \ [-N label] add-acls domain
For additional information about the ivrgy_tool utility, see ivrgy_tool on page 569. The policy server is the only Tivoli Access Manager component that needs to be retargeted to the Tivoli Directory Server proxy server as described in Configuring Tivoli Access Manager to use the proxy on page 543. Other Tivoli Access Manager components, such as the authorization server or WebSEAL, do not need to be retargeted. After the policy server has been configured, other Tivoli Access Manager components can be configured normally. When configuring Access Manager Runtime for other components, the Tivoli Directory Server proxy server host name and port should be specified for the LDAP host name. It is not necessary to indicate any of the back-end servers.
Unconfiguring Tivoli Access Manager from the proxy

All Tivoli Access Manager components other than the policy server can be unconfigured normally when the environment is set up as with the Tivoli Directory Server proxy server (as described in Configuring Tivoli Access Manager to use the proxy on page 543). Before the policy server can be unconfigured, it must be retargeted back to the back-end server that hosts the secAuthority=Default subtree. Before attempting to retarget and unconfigure the policy server, ensure that all other Tivoli Access Manager components are unconfigured and stopped.
545
After all Tivoli Access Manager components are unconfigured, the policy server can be retargeted to the back-end server that is hosting the secAuthority=Default subtree. To retarget the policy server system to the back-end server, stop the policy server using the pd_start stop command on UNIX or using Windows Services. Edit the policy server ldap.conf and pd.conf configuration files using the pdadmin config command with the following steps: 1. Start the pdadmin command. 2. Login to the local system with the login l command. 3. Change the value of the host and port in the configuration files to specify the host name and port of the back-end server hosting the secAuthority=Default subtree (Server A in this example) with the following commands: For UNIX
config modify keyvalue set /opt/PolicyDirector/etc/ldap.conf \ ldap host serverA_hostname config modify keyvalue set /opt/PolicyDirector/etc/ldap.conf \ ldap port serverA_port config modify keyvalue set /opt/PolicyDirector/etc/pd.conf \ pdrte user-reg-server serverA_hostname config modify keyvalue set /opt/PolicyDirector/etc/pd.conf \ pdrte user-reg-host serverA_hostname config modify keyvalue set /opt/PolicyDirector/etc/pd.conf \ pdrte user-reg-hostport serverA_port
For Windows This example assumes that Tivoli Access Manager is installed to the default location. Change the following commands to match the installation location for your system if necessary:
config modify keyvalue set \ "c:\Program Files\Tivoli\Policy Director\etc\ldap.conf" \ ldap host serverA_hostname config modify keyvalue set \ "c:\Program Files\Tivoli\Policy Director\etc\ldap.conf" \ ldap port serverA_port config modify keyvalue set \ "c:\Program Files\Tivoli\Policy Director\etc\pd.conf" \ pdrte user-reg-server serverA_hostname config modify keyvalue set \ "c:\Program Files\Tivoli\Policy Director\etc\pd.conf" \ pdrte user-reg-host serverA_hostname config modify keyvalue set \ "c:\Program Files\Tivoli\Policy Director\etc\pd.conf" \ pdrte user-reg-hostport serverA_port
where: serverA_hostname The host name of the back-end server. serverA_port The port number of the back-end server. 4. After the configuration files are modified, the policy server can be restarted using the pd_start start utility for UNIX or using Windows Services. 5. After the policy server is successfully restarted, it can be unconfigured normally using the pdconfig utility. For additional information about these commands and utilities, see the IBM Tivoli Access Manager for e-business: Command Reference.
546
Chapter 26. Tivoli Access Manager utilities

In addition to the pdadmin command utility, Tivoli Access Manager provides the following installation and configuration utilities for your use. See the IBM Tivoli Access Manager for e-business: Command Reference for descriptions of all the Tivoli Access Manager utilities.
Table 53. Tivoli Access Manager installation and configuration utilities Utility amauditcfg amwebcfg amwpmcfg bassslcfg install_component ivrgy_tool Description Configures or unconfigures the Common Auditing and Reporting Service client. Configures or unconfigures a WebSEAL server. Configures or unconfigures the Web Portal Manager component of Tivoli Access Manager. Configures or modifies the configuration information of the Tivoli Access Manager runtime. Expedites the installation and configuration of Tivoli Access Manager components. Updates the Tivoli Access Manager schema on the specified LDAP server or apply required ACLs to suffixes that were added to the LDAP server after the policy server was configured. Creates or modifies the SSL certificates of the Tivoli Access Manager policy server. Backs up, restores, and extracts Tivoli Access Manager data. Configures and unconfigures Tivoli Access Manager components. Configures the Tivoli Access Manager Runtime for Java. Configures and unconfigures a policy proxy server. Configures the command line utility plug-in for the session management server. Lists the current version of Tivoli Access Manager components that are installed on the system. Configures or unconfigures the Plug-in for Web Servers. Configures the session management server. Configures, unconfigures, or modifies the configuration information of a resource manager to use an SSL connection for communicating with the policy server. This utility is used for C application servers only. For Java application servers, use the equivalent com.tivoli.pd.jcfg.SvrSslCfg Java class. For information about this class, see the IBM Tivoli Access Manager for e-business: Authorization Java Classes Developer Reference.
mgrsslcfg pdbackup pdconfig pdjrtecfg pdproxycfg pdsmsclicfg pdversion pdwpicfg smscfg svrsslcfg
547
amauditcfg
Configures Tivoli Access Manager servers to use common audit services or unconfigures Tivoli Access Manager servers from common audit services.
Syntax
amauditcfg action config srv_cfg_file configuration_file audit_srv_url url enable_ssl no disk_cache_mode never amauditcfg action config srv_cfg_file configuration_file audit_srv_url url enable_ssl no disk_cache_mode {always|auto} disk_cache_file cache_file amauditcfg action config srv_cfg_file configuration_file audit_srv_url url enable_ssl yes audit_key_file key_file audit_stash_file stash_file enable_pwd_auth no disk_cache_mode never amauditcfg action config srv_cfg_file configuration_file audit_srv_url url enable_ssl yes audit_key_file key_file audit_stash_file stash_file enable_pwd_auth no disk_cache_mode {always|auto} disk_cache_file cache_file amauditcfg action config srv_cfg_file configuration_file audit_srv_url url enable_ssl yes audit_key_file key_file audit_stash_file stash_file enable_pwd_auth yes audit_id audit_id audit_pwd audit_password disk_cache_mode never amauditcfg action config srv_cfg_file configuration_file audit_srv_url url enable_ssl yes audit_key_file key_file audit_stash_file stash_file enable_pwd_auth yes audit_id audit_id audit_pwd audit_password disk_cache_mode {always|auto}disk_cache_file cache_file temp_storage_full_timeout number_of_seconds amauditcfg action unconfig srv_cfg_file configuration_file amauditcfg operations amauditcfg help [options] amauditcfg rspfile response_file amauditcfg usage amauditcfg ?
Description
Use the amauditcfg utility to configure or unconfigure the Common Auditing Service client from the command line. The utility can be run in command line mode or response file mode. In command line mode, all parameters must be specified from the command line. In response file mode, the utility obtains the necessary parameters from the response file. You must manually create the response file, and the response file requires all parameters.
548
amauditcfg
Parameters
? Displays the syntax and an example for this utility. action {config|unconfig} This parameter takes one of the following arguments: config Configures the client. unconfig Unconfigures the client. audit_id administrator_id Specifies the WebSphere administrator who has the EventSource role mapped to the CommonAuditService. This ID is authenticated through WebSphere using HTTP basic authentication. This parameter is valid when the enable_pwd_auth parameter is set to yes. audit_key_file key_file Specifies the fully qualified name of the key file that is needed to communicate securely with the Web service. This parameter is required when the enable_ssl parameter is set to yes. audit_pwd audit_id_password Specifies the password for the WebSphere administrator who has the EventSource role mapped to the CommonAuditService. This parameter is valid when the enable_pwd_auth parameter is set to yes. audit_srv_url url Specifies the URL of the Web service. For secure communication, use the following URL: https://hostname:9443/CommonAuditService/services/Emitter For nonsecure communication, use the following URL: http://hostname:9080/CommonAuditService/services/Emitter audit_stash_file stash_file Specifies the fully qualified name of the stash file that is needed to communicate securely with the Common Audit Web service. This parameter is required when the enable_ssl parameter is set to yes. disk_cache_file cache_file Specifies the fully qualified name of the disk cache file. This parameter is required when the disk_cache_mode parameter is set to always or auto. disk_cache_mode {always|never|auto} Specifies whether to enable disk caching, and, when enabled, indicates how to handle disk caching. The following values are valid: always Indicates that audit events are always written directly to the disk cache. never auto Indicates that audit events are written to the event queue. There is no disk cache. Indicates that audit events are written to the event queue except when the server is down or the event queue is full. Under these conditions, the audit events are written to disk cache.
The default value is auto. temp_storage_full_timeout {0|-1| and number_of_seconds} Specifies the number of seconds that the common auditing and reporting services client waits before discarding cached events when the temporary
549
amauditcfg
disk cache storage is filled. Valid values are -1, 0, number of seconds. A value of -1 indicates that cached events are not discarded. A value of 0 indicates that cached events are discarded immediately. A specified number of seconds indicates that cached events are not discarded until the specified number of seconds has passed. The default value is 0. This parameter takes effect only when disk_cache_mode is set to always or auto. enable_pwd_auth {yes|no} Specifies whether password authentication is used. Valid values are yes or no. The default value is no. enable_ssl {yes|no} Specifies whether to enable SSL communication between the Common Audit client (the security server) and the Common Audit Web service. Valid values are yes or no. The default value is no. help [parameters] Lists all parameters and their descriptions when specified without parameters. When one or more parameters are specified, lists the specified parameters and their descriptions. operations Prints out all the valid parameters. rspfile response_file Specifies the fully qualified path and file name of the response file to use during silent configuration. A response file can be used for configuration. There is no default response file name. The response file contains stanzas and parameter=value pairs. To use response files, see the procedures in the IBM Tivoli Access Manager for e-business: Auditing Guide. srv_cfg_file configuration_file The fully qualified configuration file name of the Access Manager server to configure to or unconfigure from common auditing services. usage Displays the syntax and an example for this utility.
Availability
This utility is located in one of the following default installation directories: v On Linux and UNIX operating systems:
/opt/policyDirector/sbin/
v On Windows operating systems:

c:\Program Files\Tivoli\PolicyDirector\sbin
When an installation directory other than the default is selected, this utility is located in the /sbin directory under the installation directory (for example, installation_directory/sbin).
Return codes
0 1 The utility completed successfully. The utility failed. When a utility fails, a description of the error and an error status code in hexadecimal format is provided (for example, 0x15c3a00c). Refer to the IBM Tivoli Access Manager for e-business: Error
550
amauditcfg
Message Reference. This reference provides a list of the Tivoli Access Manager error messages by decimal or hexadecimal codes.
Examples
v The following example configures an authorization server using SSL and password authentication:
amauditcfg -action config \ -srv_cfg_file /opt/PolicyDirector/etc/ivacld.conf \ -srv_url https://hostname:9443/CommonAuditService/services/Emitter \ -enable_ssl yes -audit_key_file /certs/WSclient.kdb \ -audit_stash_file /certs/WSclient.sth -enable_pwd_auth yes \ -audit_id administrator_id -auditpwd password
v The following example uses the /tmp/rspfile/cars_pdacld.rsp response file to configure an authorization server using SSL and password authentication:
amauditcfg rspfile /tmp/rspfile/cars_pdacld.rsp
The /tmp/rspfile/cars_pdacld.rsp response file contains the following data:

[amauditcfg] action = config srv_cfg_file = /opt/PolicyDirector/etc/ivacld.conf audit_srv_url = https://hostname:9443/CommonAuditService/services/Emitter enable_ssl = yes audit_key_file = /certs/WSclient.kdb audit_stash_file = /certs/WSclient.sth enable_pwd_auth = yes audit_id = administrator_id audit_pwd = password
551
amwebcfg
Configures or unconfigures a WebSEAL server.
Syntax
amwebcfg action config host host_name listening_port am_listening_port inst_name instance_name nw_interface_yn {yes|no} admin admin_pwd password ip_address ip_address ssl_yn {yes|no} key_file key_file key_file_pwd password cert_label label ssl_port ssl_port http_yn {yes|no} http_port http_port https_yn {yes|no} https_port https_port doc_root doc_root amwebcfg action config rspfile response_file amwebcfg action config interactive amwebcfg action unconfig inst_name instance_name admin_id admin admin_pwd password amwebcfg action unconfig interactive amwebcfg operations amwebcfg help [options] amwebcfg usage amwebcfg ?
Description
Use the amwebcfg utility to configure a WebSEAL instance from the command line. The utility can be run in interactive mode, command line mode, or response file mode. In interactive mode, you are prompted to supply the necessary values. In command line mode, all parameters must be specified from the command line. In response file mode, the utility obtains the necessary options from the response file. The response file requires all parameters. The response file must be created manually.
Parameters
? Displays the syntax and an example for this utility. action {config|name|status|unconfig} This parameter takes one of the following arguments: config Configures a WebSEAL instance. name Retrieves the Tivoli Access Manager WebSEAL package name and returns the name value to the pdconfig utility. This parameter is used only by pdconfig. Do not use this parameter from the command line.
552
amwebcfg
status Returns the status value to the pdconfig utility. This parameter is used only by pdconfig. Do not use this parameter from the command line. unconfig Unconfigures a WebSEAL instance. admin_id admin Specifies the name of the Tivoli Access Manager administrative user. The default value is sec_master. admin_pwd password Specifies the Tivoli Access Manager administrative user password (the administrative user is normally sec_master). cert_label label Specifies the LDAP client certificate label. This parameter is used only when SSL communication is enabled between WebSEAL and an LDAP server (ssl_yn yes). Note that when SSL communication is enabled between WebSEAL and the LDAP server, SSL does not require a LDAP client certificate label. Thus this label file is optional, even amwebcfg is called with ssl_yn yes. When the client label is not specified, SSL uses default certificate contained in the keyfile. Used with action config. doc_root doc_root Specifies the Web document root directory. The directory must already exist. Used with action config. When this parameter is not supplied on the command line, amwebcfg creates a default directory. The default directory path includes the instance name, prefixed by www-. For example, when the instance name is web1, and the doc_root is not specified on the command line, the following directory is created: On Linux and UNIX operating systems opt/pdweb/www-web1/docs On Windows operating systems installation_directory\pdweb\www-web1\docs When the first WebSEAL instance is configured, and the default server instance name of default is accepted, and no value for doc-root is supplied, amwebcfg creates the following Web document root directory: On Linux and UNIX operating systems opt/pdweb/www-default/docs On Windows operating systems installation_directory\pdweb\www-default\docs help [options] Lists each parameter and a one line description of it when specified without an argument. When one or more arguments are specified, WebSEAL lists each specified parameter and a one line description of it. host host_name Specifies the host name that is used by the Tivoli Access Manager policy server to contact a WebSEAL server. This parameter is required for action config.
553
amwebcfg
Valid values include any valid IP host name. For example:
libra.dallas.ibm.com
http_yn {yes|no} Specifies whether HTTP access is allowed to the WebSEAL instance. This parameter is required for action config. The valid Boolean indicators are yes or no. There is no default value. http_port http_port Specifies the port number for unsecure HTTP access. This parameter is required for action config when http_yn is set to yes. The well known port for HTTP is 80. There is no default value. https_yn {yes|no} Specifies whether HTTPS access is allowed to the WebSEAL instance. This parameter is required for action config. The valid Boolean indicators are yes or no. There is no default value. https_port https_port Specifies the port number for secure HTTP access. This parameter is required for action config when https_yn is set to yes. The well known port for HTTPS is 443. There is no default value. inst_name instance_name Specifies the name of the WebSEAL instance as a string. For example, web1. This string does not include the host name. This parameter is required for action config. The following characters are allowed: v Any ASCII character (A-Z or a-z) v Period (.) v Hyphen () v Underscore (_) When using the GUI to configure the first WebSEAL instance, amwebcfg supplies a default instance name of default. This instance name can be changed to another name (for example, webseal1). interactive Specifies that the configuration is to be done interactively by the administrator. WebSEAL displays a text-based menu and presents a series of prompts to obtain the necessary configuration information from the administrator. Note: Interactive mode is supported only on Linux and UNIX operating systems. When this parameter is used on Windows operating systems, an error message states that the parameter is not supported. ip_address ip_address Specifies the logical network interface that is the IP address for the WebSEAL server. This parameter is required with action config only when nw_interface_yn is set to yes. key_file key_file Specifies the LDAP SSL key file. This parameter is required with action config only when SSL communication is enabled between the WebSEAL server and an LDAP server.
554
amwebcfg
key_file_pwd password Specifies the LDAP SSL key file password. This parameter is required with action config only when SSL communication is enabled between the WebSEAL server and the LDAP server. listening_port am_listening_port Specifies the listening port number for the Tivoli Access Manager policy server. This listening port is the port on which the WebSEAL server and the policy server communicate. The port must be greater than 1024, and must be available for use. This parameter is required with action config. nw_interface_yn {yes|no} Specifies whether to use a logical network interface. The valid Boolean indicators are yes or no. This parameter is required with action config when adding an additional WebSEAL instance. There is no default value. operations Prints out all the valid command line options. rspfile response_file Specifies the fully qualified path and file name of the response file to use during silent configuration. A response file can be used for configuration. There is no default response file name. The response file contains stanzas and parameter=value pairs. To use response files, see the procedures in the IBM Tivoli Access Manager for e-business: Installation Guide. ssl_port ssl_port Specifies the port number on which SSL communication takes place between the WebSEAL server and the LDAP server. This parameter is required only when ssl_yn is set to yes as part of action config. The well known port for SSL is 636. There is no default value. ssl_yn {yes|no} Specifies whether to enable SSL communication between the WebSEAL server and the LDAP server. The valid Boolean indicators are yes or no. This parameter is required with action config. There is no default value. usage Displays the syntax and an example for this utility.
Availability
/opt/pdweb/bin

c:\Program Files\Tivoli\pdweb\bin
When an installation directory other than the default is selected, this utility is located in the /bin directory under the installation directory (for example, installation_directory/bin).
Return codes
0 1 The utility completed successfully. The utility failed. When a utility fails, a description of the error and an error status code in hexadecimal format is provided (for example, 0x15c3a00c). Refer to the IBM Tivoli Access Manager for e-business: Error
555
amwebcfg
Message Reference. This reference provides a list of the Tivoli Access Manager error messages by decimal or hexadecimal codes.
Examples
v The following example configures the default WebSEAL instance with SSL communication enabled with an LDAP server:
amwebcfg action config inst_name default host diamond.subnet2.ibm.com listening_port 7234 nw_interface_yn no admin_id sec_master admin_pwd mypassw0rd ssl_yn yes key_file /tmp/client.kdb keyfile_pwd mypassw0rd cert_label ibm_cert ssl_port 636 http_yn yes http_port 80 https_yn yes https_port 443 doc_root /usr/docs
v The following example configures a WebSEAL instance named web1 to use a logical network interface, and to not enable SSL communication with an LDAP server:
amwebcfg action config host emerald.subnet2.ibm.com listening_port 7235 inst_name web1 nw_interface_yn yes ip_address 111.222.333.222 admin_id sec_master admin_pwd mypassw0rd http_yn yes http_port 81 https_yn yes https_port 444
v The following example unconfigures the default WebSEAL instance:

amwebcfg -action unconfig -inst_name default -admin_id sec_master -admin_pwd mypassw0rd
v The following example unconfigures a WebSEAL instance named web1:

amwebcfg -action unconfig -inst_name web1 -admin_id sec_master -admin_pwd mypassw0rd
556
amwpmcfg
Configures or unconfigures the Web Portal Manager component of Tivoli Access Manager.
Syntax
amwpmcfg action config policysvr policy_server_host [policysvr_port policy_server_port] waspath websphere_installation_path [was_host websphere_host] [was_port websphere_port] [was_admin_id websphere_admin] [was_admin_pwd websphere_admin_password] [trust_store trust_store] [trust_store_pwd trust_store_password] [keyfile key_file] [key_pwd key_file_password] http_server_name] [authzsvr authorization_server_host] [authzsvr_port authorization_server_port] [admin_id tam_admin] [admin_pwd tam_admin_password] [domain domain] amwpmcfg action config interactive amwpmcfg action config rspfile properties_file amwpmcfg action name amwpmcfg action status amwpmcfg action unconfig policysvr policy_server_host [policysvr_port policy_server_port] waspath websphere_installation_path [was_host websphere_host] [was_port websphere_port] [was_admin_id websphere_admin] [was_admin_pwd websphere_admin_password] [trust_store trust_store] [trust_store_pwd trust_store_password] [keyfile key_file] [key_pwd key_file_password] [ http_server_name] [admin_id tam_admin] [admin_pwd tam_admin_password] amwpmcfg action unconfig interactive amwpmcfg help [parameters] amwpmcfg operations amwpmcfg usage amwpmcfg ?
Description
The amwpmcfg utility is used to configure or unconfigure the Web Portal Manager component of Tivoli Access Manager. You can perform these actions in the following ways: v Directly from the command line v Interactively through a graphical interface v Silently with a response file When using this utility to configure Web Portal Manager, different parameters are required depending on the following situations: v When using a secure connection to WebSphere Application Server v Whether the Tivoli Access Manager authorization server is already configured
557
amwpmcfg
When using secure connection to WebSphere Application Server, you must specify the following parameters: v was_admin_id v was_admin_pwd v trust_store v trust_store_pwd v keyfile v key_pwd When the authorization server is already configured, you must specify the following parameters: v authzsvr v authzsvr_port
Parameters
? Displays the usage statement for this utility. action {config|name|status|unconfig} Specifies the action to perform. Actions include: config Configure Web Portal Manager for Tivoli Access Manager. name Retrieves the package name of Web Portal Manager and returns the name value to the pdconfig utility. This parameter is used internally by the pdconfig utility. Do not use this parameter from the command line.
status Determines the configuration status of Web Portal Manager and return status to the pdconfig utility. This parameter is used internally by the pdconfig utility. Do not use this parameter from the command line. unconfig Unconfigure Web Portal Manager for Tivoli Access Manager. admin_id tam_admin Specifies the name of the Tivoli Access Manager administrator with the appropriate administrative privileges. If not specified, you will be prompted. admin_pwd tam_admin_password Specifies the password for the Tivoli Access Manager administrator. If not specified, you will be prompted. authzsvr authorization_server_host Specifies the host name of the Tivoli Access Manager authorization server. Valid values include any valid IP host name. For example:
authzsvr_port authorization_server_port Specifies the port number for the Tivoli Access Manager authorization server. The default value is 7136. domain domain Specifies the name of the domain. The domain must already exist. Any security policy that is a domain affects only those objects in that domain. Users with authority to perform tasks in one domain do not necessarily
558
amwpmcfg
have authority to perform those same tasks in other domains. The default domain is Default, which indicates the management domain. help [parameter] Displays online help for this utility. Without parameters, the entire usage statement is displayed. With one or more parameters, the help for those parameters only will be displayed. interactive Specifies interactive mode, using a graphical interface, to configure or unconfigure Web Portal Manager. If not specified, the utility runs in silent mode. key_pwd key_file_password Specifies the existing password that is associated with the specified client key file. This password was set when the key file was created. This parameter is required when using a secure connection to WebSphere Application Server. keyfile key_file Specifies the fully qualified file name of the key file. This key file holds the client-side certificates that are used in secure communication. This parameter is required when using a secure connection to WebSphere Application Server. operations Displays all of the valid parameters for this utility. policysvr policy_server_host Specifies the host name of the Tivoli Access Manager policy server. Valid values include any valid IP host name. For example:
policysvr_port policy_server_port Specifies the port number for the Tivoli Access Manager policy server. The default value is 7135. rspfile properties_file Specifies the fully qualified path and file name of the properties file to use during silent configuration. A properties file can be used for configuration. There is no default properties file name. The properties file contains parameter=value pairs. To use properties files, see the procedures in the IBM Tivoli Access Manager for e-business: Installation Guide. trust_store trust_store Specifies the fully qualified file name of the trust store. This trust file handles the server-side certificates that are used in secure communication. The trust store verifies the certificate that is presented by the server. The signer of the certificate must be a trusted certificate authority (CA). This parameter is required when using a secure connection to WebSphere Application Server. trust_store_pwd trust_store_password Specifies the existing password that protects the trust store file. This password was set when the trust store was created. This parameter is required when using a secure connection to WebSphere Application Server. usage Displays the usage statement for this utility. was_admin_id websphere_admin Specifies the name of the WebSphere administrator with the appropriate
559
amwpmcfg
administrative privileges. This parameter is required when using a secure connection to WebSphere Application Server. If not specified, you will be prompted. was_admin_pwd websphere_admin_password Specifies the password for the WebSphere administrator. This parameter is required when using a secure connection to WebSphere Application Server. If not specified, you will be prompted. was_host websphere_host Specifies the host name or IP address of the system where WebSphere Application Server is installed. was_port websphere_port Specifies the SOAP port number for the WebSphere Application Server. The default value is 8879 when using Deployment Manager in a cluster environment and 8880 when using an application server in a single server environment. waspath websphere_installation_path Specifies the full path to the installation directory for IBM WebSphere Application Server. This directory will be validated by checking for the existence of the wsadmin script in the /bin directory and the /java/jre/lib/ext/PD.jar file. The configuration will fail if a required version of WebSphere Application Server is not installed.
Availability
/opt/PolicyDirector/sbin

c:\Program Files\Tivoli\Policy Director\sbin
Return codes
0 1 The utility completed successfully. The utility failed. When a utility fails, a description of the error and an error status code in hexadecimal format is provided (for example, 0x15c3a00c). Refer to the IBM Tivoli Access Manager for e-business: Error Message Reference. This reference provides a list of the Tivoli Access Manager error messages by decimal or hexadecimal codes.
560
bassslcfg
Configures or modifies the configuration information of the Tivoli Access Manager runtime.
Syntax
bassslcfg add_replica h host_name p port r replica_rank bassslcfg chgpwd e password_life bassslcfg chg_replica h host_name [p server_port r replica_rank] bassslcfg config c cert_file h host_name [p server_port] [e password_life] [t ssl_timeout] [d primary_domain] [a {yes|no}] bassslcfg getcacert c cert_file h host_name [p server_port] bassslcfg getmgtdomain h host_name [p port] bassslcfg modify [h host_name] [e password_life] [p server_port] [t ssl_timeout] [d primary_domain] [a {yes|no}] bassslcfg ping h host_name [p server_port] bassslcfg rmv_replica h host_name
Parameters
a {yes|no} Sets the key file password ssl-auto-refresh entry in the pd.conf configuration file. The value must be yes or no. add_replica Before deprecation, added an authentication server replica. c cert_file Specifies the name of the policy server base-64 encoded, self-signed certificate. chgpwd Changes the key database password. A new random password is generated and saved in the stash file. chg_replica Before deprecation, changed the attributes of a authentication server replica. The replica host name is used to identify the replica server and cannot be changed by this utility. config Configures the Tivoli Access Manager runtime so that pdadmin commands and the svrsslcfg utility can communicate with the policy server. Also creates a new key and stash file. d domain Specifies the local domain name. During a configuration action, this domain must exist and an the administrator ID and password must be valid for this domain. If not specified, the local domain that was specified
561
bassslcfg
during configuration of the Tivoli Access Manager runtime will be used. The local domain value will be retrieved from the configuration file. A valid local domain name is an alphanumeric, case-sensitive string. String characters are expected to be characters that are part of the local code set. You cannot use a space in the domain name. e password_life Sets the key file password expiration time in days. During a configuration action, the default value is 7299. When modifying: v Specify 0 if you want to use the currently configured value. v Specify 7299 days if the currently configured value cannot be determined. v Otherwise, specify a valid value from 1 to 7299. getcacert Downloads the root CA certificate to a file. getmgtdomain Prints the name of the management domain from the policy server to standard out (stdout). h host_name Specifies the TCP host name of the policy server. Valid values include any valid IP host name. For example:
host = libra host = libra.dallas.ibm.com
modify Modifies the policy server configuration. p server_port Specifies the listening port of the policy server. The default value is 7135. For a ping action, specify the listening port of that server. If not specified, the default listening port is 7135. ping Pings a Tivoli Access Manager server. rmv_replica Before deprecation, removed an authentication server replica. t ssl_timeout Specifies the SSL session timeout in seconds. The value must be from 1 to 86400. During a configuration action, the default value is 7200.
Availability

562
bassslcfg
Return codes
563
install_component
Expedites the installation and configuration of Tivoli Access Manager components.
Syntax
install_amacld console install_amacld options response_file [silent] install_amadk console install_amadk options response_file [silent] install_amjrte console install_amjrte options response_file [silent] install_ammgr console install_ammgr options response_file[silent] install_amproxy console install_amproxy options response_file [silent] install_amrte console install_amrte options response_file [silent] install_amweb console install_amweb options response_file [silent] install_amwebadk console install_amwebadk options response_file [silent] install_amwebars console install_amwebars options response_file [silent] install_amwpi console install_amwpi options response_file [silent] install_amwpm console install_amwpm options response_file [silent] install_ldap_server console install_ldap_server options response_file [silent] install_sms console
564
install_component
install_sms options response_file [silent] install_smscli console install_smscli options response_file [silent]
Description
The install_component command expedites the installation and configuration of Tivoli Access Manager components. Note: If you use Microsoft Active Directory on Linux or UNIX operating system, or if the domain of the policy server is different than the domain of the local machine, Tivoli Directory Server is required on Tivoli Access Manager systems. The installation wizard executable files are also useful if you want to add a Tivoli Access Manager component or set up a system in an existing domain. All prerequisite products and Tivoli Access Manager components are installed and configured except for a platform-specific JRE that must be installed manually. To create a response file for a Tivoli Access Manager installation wizard, you must copy a template that is provided on the Tivoli Access Manager CD for the component from the /rspfile directory on the CD to your hard drive and edit its values. For detailed information, including step-by-step scenarios, see the IBM Tivoli Access Manager for e-business: Installation Guide. Ensure that you are familiar with the configuration options of the install_component executable files. Before running the install_component utility, ensure that the component is supported on your platform.
Parameters
install_amacld Sets up a Tivoli Access Manager authorization server system with the following software packages: v IBM Global Security Kit v IBM Tivoli Directory Server client (if needed for LDAP or Active Directory on Linux and UNIX operating systems) v v v v Tivoli Security Utilities Tivoli Access Manager License Tivoli Access Manager Runtime Tivoli Access Manager Authorization Server
install_amadk Sets up a Tivoli Access Manager Application Development Kit development system with the following software packages: v IBM Global Security Kit v IBM Tivoli Directory Server client (if needed for LDAP or Active Directory on Linux and UNIX operating systems) v Tivoli Security Utilities v Tivoli Access Manager License v Tivoli Access Manager Runtime v Tivoli Access Manager Application Development Kit
565
install_component
install_amjrte Sets up a Java Runtime Environment (JRE) system with the following software packages: v Tivoli Access Manager License v Tivoli Access Manager Runtime for Java install_ammgr Sets up the Tivoli Access Manager policy server system with the following software packages: v IBM Global Security Kit v IBM Tivoli Directory Server client (if needed for LDAP on Linux and UNIX operating systems) v Tivoli Security Utilities v Tivoli Access Manager License v Tivoli Access Manager Runtime v Tivoli Access Manager Policy Server install_amproxy Sets up the Tivoli Access Manager policy proxy server system with the following software packages: v IBM Global Security Kit v IBM Tivoli Directory Server client v Tivoli Security Utilities v Tivoli Access Manager License v Tivoli Access Manager Runtime v Tivoli Access Manager Policy Proxy Server install_amrte Sets up a Tivoli Access Manager runtime system with the following software packages: v IBM Global Security Kit v IBM Tivoli Directory Server client (if needed for LDAP or Active Directory on Linux and UNIX operating systems) v Tivoli Security Utilities v Tivoli Access Manager License v Tivoli Access Manager Runtime install_amweb Sets up a Tivoli Access Manager WebSEAL system with the following software packages: v IBM Global Security Kit v IBM Tivoli Directory Server client (if needed for LDAP or Active Directory on Linux and UNIX operating systems) v Tivoli Security Utilities v Tivoli Access Manager License v Tivoli Access Manager Runtime v Tivoli Access Manager Web Security Runtime v Tivoli Access Manager WebSEAL install_amwebadk Sets up a Tivoli Access Manager Web security Application Development Kit development system with the following software packages:
566
install_component
v IBM Global Security Kit v IBM Tivoli Directory Server client (if needed for LDAP or Active Directory on Linux and UNIX operating systems) v Tivoli Security Utilities v Tivoli Access Manager License v Tivoli Access Manager Runtime v Tivoli Access Manager Application Development Kit v Tivoli Access Manager Web Security Runtime v Tivoli Access Manager WebSEAL Application Development Kit install_amwebars Sets up a Tivoli Access Manager Attribute Retrieval Service system with the following software packages: v IBM WebSphere Application Server v Tivoli Access Manager License v Tivoli Access Manager Attribute Retrieval Service install_amwpi Sets up a Tivoli Access Manager plug-in for Web server system with the following software packages: v IBM Global Security Kit v IBM Tivoli Directory Server client (if needed for LDAP or Active Directory on Linux and UNIX operating systems) v v v v Tivoli Security Utilities Tivoli Access Manager License Tivoli Access Manager Runtime Tivoli Access Manager Web Security Runtime
v Tivoli Access Manager Plug-in for Web Servers v One of the following Web server-specific plug-ins: Tivoli Access Manager Plug-in for Apache Web Server Tivoli Access Manager Plug-in for IBM HTTP Server Tivoli Access Manager Plug-in for Sun Java System Web Server install_amwpm Sets up the Web Portal Manager interface with the following software packages: v IBM WebSphere Application Server v Tivoli Access Manager License v Tivoli Access Manager Runtime for Java v Tivoli Access Manager Web Portal Manager install_ldap_server Sets up an IBM Tivoli Directory Server system with the following software packages: v IBM Global Security Kit v IBM DB2 Universal Database v IBM Tivoli Directory Server client v IBM Tivoli Directory Server Note: You cannot use the install_ldap_server executable file if an existing version of Tivoli Directory Server is installed.
567
install_component
install_sms Sets up a Tivoli Access Manager session management server system with the following software packages: v IBM WebSphere Application Server v Tivoli Access Manager Session Management Server install_smscli Sets up a Tivoli Access Manager session management command line system with the following software packages: v IBM WebSphere Application Server v IBM Global Security Kit v IBM Tivoli Directory Server client (if needed for LDAP or Active Directory on Linux and UNIX operating systems) v Tivoli Security Utilities v Tivoli Access Manager License v Tivoli Access Manager Runtime v Tivoli Access Manager Authorization Server v Tivoli Access Manager Session Management Command Line response_file Specifies a response file to perform a silent, unattended installation of Tivoli Access Manager components. To use response files, see the procedures in the IBM Tivoli Access Manager for e-business: Installation Guide.
Return codes
0 The utility completed successfully. nonzero The utility failed. 1003 A reboot of the system is required.
568
ivrgy_tool
Updates the Tivoli Access Manager schema on the specified LDAP server or applies the required ACLs to suffixes that were added to the LDAP server after the policy server was configured.
Syntax
ivrgy_tool h host_name p port D admin_dn w admin_password d add-acls domain_name ivrgy_tool h host_name p port D admin_dn w admin_password d Z K keyfile P keyfile_password [N keyfile_label] add-acls domain_name ivrgy_tool h host_name p port D admin_dn w admin_password d schema ivrgy_tool h host_name p port D admin_dn w admin_password d Z K keyfile P keyfile_password [N keyfile_label] schema
Description
The ivrgy_tool utility with the add-acls parameter can be used to apply the required ACLs to suffixes that were added to the LDAP server after the policy server was configured or to apply ACLs to the back-end servers in an Tivoli Directory Server proxy environment. In the proxy environment, the back-end server enforces access control. You need to ensure that the proper ACLs are created on each back-end server if the ACLs exist on the top-level object of the partition split. To set the necessary ACLs on the back-end servers to allow Tivoli Access Manager to manage the partition suffix, use the add-acls parameter. The ivrgy_tool utility with the schema parameter updates the Tivoli Access Manager schema on the specified supported LDAP server. The schema is defined in a set of files. The files relate to the type of LDAP server that is being used. These files are installed during the installation of the Tivoli Access Manager runtime and are used as input to the automatic schema update process when you configure the policy server. Normally, the schema is updated when the policy server is configured. When migrating an existing installation of Tivoli Access Manager, the schema on the LDAP server must be upgraded to the current version using the ivrgy_tool utility. The following files contain the LDAP-specific schema: secschema.def Used for Tivoli Directory Server nsschema.def Used for Sun Java System Directory Server or Sun ONE Directory Server novschema.def Used for Novell eDirectory Server An administrator can also apply and update the schema by using one of these files as the LDAP Data Interchange Format (LDIF) input to the Tivoli Directory Server ldapmodify utility.
569
ivrgy_tool
Note: The ivrgy_tool schema command cannot be used to apply the Tivoli Access Manager schema to the Active Directory Application Mode (ADAM). To add the Tivoli Access Manager schema to ADAM, see Configuring the Tivoli Access Manager schema for Active Directory Application Mode (ADAM) on page 121.
Parameters
d Indicates verbose mode. D admin_dn Specifies the distinguished name of the LDAP administrator. The format for a distinguished name is similar to cn=root. h host_name Specifies the IP address or host name of the LDAP server. Valid values include any valid IP host name; for examples:
When used in an Tivoli Directory Server proxy environment, the value is the IP address or host name of the back-end server on which to set the ACLs. K keyfile Specifies the fully qualified path and file name of the SSL key database. This parameter is required only when the Z parameter is specified. Use the SSL key file to handle certificates that are used in LDAP communication. The file type can be anything, but the extension, as shown in the following example for the policy server, is usually .kdb. Policy server on Windows C:\Program Files\Tivoli\Policy Director\keytab\ivmgrd.kdb Policy server on Linux or UNIX /opt/PolicyDirector/keytab/ivmgrd.kdb N keyfile_label Specifies the label name of the client certificate in the SSL key database that is sent to the LDAP server if the LDAP server is configured to perform both server and client authentication during SSL establishment. This parameter is valid only when SSL is being used (indicated by using the Z parameter) and when the LDAP server has been configured to require client authentication. If the installation wizard was used, the default client certificate label is PDLDAP. p port Specifies the port number of the LDAP server. Use the LDAP server-configured port number. The default port number is 636 if Secure Sockets Layer (SSL) is used and 389 if SSL is not used. When used in an Tivoli Directory Server proxy environment, the value is the port number of the back-end server. P keyfile_password Specifies the password for the SSL key database. This parameter is required only if the Z parameter is specified. w admin_password Specifies the password of the LDAP administrator.
570
ivrgy_tool
Z Indicates that SSL is used.
add-acls domain_name Indicates that the required access control lists (ACLs) should be applied to all suffixes that were defined on the LDAP server for the specified domain. When the policy server is configured, the management domain (Default) domain is created. When using the add-acls parameters in a Tivoli Directory Server proxy environment, at a minimum, always apply the ACLs to the management domain. This option is useful for adding access control to suffixes that were added to the LDAP server after the policy server is configured. schema Updates the Tivoli Access Manager schema. Use this parameter when: v You are using a version of Tivoli Directory Server prior to version 6.1. For example, you are using Tivoli Directory Server version 5.2. v You are using an LDAP server other than Tivoli Directory Server. For example, you are using Novell eDirectory Server. Note: This command cannot be used when ADAM is used as the LDAP registry
Return codes
0 1 The utility completed successfully. The utility failed. When a utility fails, a description of the error and an error is provided.
571
mgrsslcfg
Creates or modifies the SSL certificates of the policy server.
Syntax
mgrsslcfg chgcert l cert_life mgrsslcfg chgpwd e password_life mgrsslcfg config [e password_life] [l cert_life] [t ssl_timeout] [a {yes|no}] mgrsslcfg modify [e password_life] [l cert_life] [t ssl_timeout] [a {yes|no}]
Description
Stop the Tivoli Access Manager policy server before running this utility.
Parameters
a {yes|no} Sets the key file password ssl-auto-refresh entry in the ivmgrd.conf configuration file. The value must be yes or no. The default value is yes. chgcert Renews the SSL certificate. A new public-private key pair and certificate are created and stored in the key database. chgpwd Changes the key database password. A new random password is generated and saved in the stash file. Before running this action, stop the policy server. config Creates new key and stash files and generates new certificates for the policy server. e password_life Sets the key file password expiration time in days. During a configuration action (config), the default value is 183 When modifying: v Specify 0 to use the currently configured value. v Specify 183, if the currently configured value cannot be determined. v Otherwise, specify a valid value from 1 to 7299. l cert_life Sets the maximum certificate expiration time in days. The actual time used will be the lesser of this value and the number of days before the CA certificate for the policy server expires. The CA certificate lifetime is set to 7300 days at initial configuration of the policy server. During an configuration action (config), the default value is 1460. When modifying: v Specify 0 to use the currently configured value. v Specify 1460, if the currently configured value cannot be determined. v Otherwise, specify a valid value from 1 to 7299.
572
mgrsslcfg
modify Modifies the current configuration. t ssl_timeout Specifies the SSL session timeout in seconds. The ssl_timeout value must be in the range from 1 to 86400. During configuration, the default value is 7200.
Availability

Return codes
573
pdbackup
Backs up, restores, and extracts Tivoli Access Manager data.
Syntax
pdbackup action backup list list_file [path path] [file filename] pdbackup action restore file filename [path path] pdbackup action extract file filename path path pdbackup usage pdbackup ?
Description
Use the pdbackup utility to back up and restore Tivoli Access Manager data. As an alternative to a restore action, you can extract all archived files into a single directory. This utility is most commonly used for backing up, restoring, and extracting Tivoli Access Manager component files.
Parameters
Note that you can shorten a parameter name, but the abbreviation must be unambiguous. For example, you can type a for action or l for list. However, values for parameters cannot be shortened. ? Displays the syntax and an example for this utility.
action [backup|restore|extract] Specifies to action to be performed. This parameter supports one of the following values: backup Backs up the data, service information, or migration information to an archive file. The archive file has a tar extension on Linux and UNIX operating systems and a dar extension on Windows operating systems. extract Extracts the data from an archive file to a specified directory. This action is used during a two-machine migration only. restore Restores the data from the archive file. file filename Specifies the name of the archive file. When this parameter is required, its value must be the fully qualified name of the archive file. When this parameter is optional, its value must be the name of the archive file only. For the extract and restore actions, this parameter is required. For the backup action, this parameter is optional. When using the backup action, specifies a file name other than the default name. The default name is the name of the service list file with a date and time of the file creation. On Linux and UNIX operating systems, the default file name is list_file_ddmmmyyyy.hh_mm.tar. On Windows operating systems, the default file name is list_file_ddmmmyyyy.hh_mm.dar.
574
pdbackup
list list_file Specifies the fully qualified name of the list file. The list file is an ASCII file that contains the information about the various files and data to backup. These files are located in the /etc directory under the component-specific installation directory. The following list contains the default file name and location of each component-specific list file by operating system (assuming that the default installation directory was used during installation): Tivoli Access Manager data On Linux and UNIX operating systems: /opt/PolicyDirector/etc/pdbackup.lst On Windows operating systems: "C:\Program Files\Tivoli\Policy Director\etc\pdbackup.lst" Tivoli Access Manager service information On Linux and UNIX operating systems: /opt/PolicyDirector/etc/pdinfo.lst On Windows operating systems: "C:\Program Files\Tivoli\Policy Director\etc\pdinfo.lst" WebSEAL data On Linux and UNIX operating systems: /opt/pdweb/etc/amwebbackup-instance.lst On Windows operating systems: "C:\Program Files\Tivoli\pdweb\etc\amwebbackup-instance.lst" Where instance is the name of the instance. WebSEAL service information On Linux and UNIX operating systems: /opt/pdweb/etc/pdinfo-amwebbackup-instance.lst On Windows operating systems: "C:\Program Files\Tivoli\pdweb\etc\pdinfo-amwebbackupinstance.lst" Where instance is the name of the instance. Plug-in for Web Servers data On Linux and UNIX operating systems: /opt/pdwebpi/etc/pdwebpi.lst On Windows operating systems: "C:\Program Files\Tivoli\pdwebpi\etc\pdwebpi.lst" Plug-in for Web Servers service information On Linux and UNIX operating systems: /opt/pdwebpi/etc/pdinfo-pdwebpi.lst On Windows operating systems: "C:\Program Files\Tivoli\pdwebpi\etc\pdinfo-pdwebpi.lst" path path Specifies the target directory for the specified action. This parameter is required with the extract action, but is optional with the backup and restore actions. When specified with the backup action, specifies the target directory for the archive file. When not specified, the command uses the default directory for the component. The following list contains the default directory for each component by operating system: On Linux and UNIX operating systems /var/PolicyDirector/pdbackup/ On Windows operating systems: c:\program files\tivoli\policy director\pdbackup\
575
pdbackup
With the extract action, specifies the directory where the files that are extracted from the archive file are stored. There is no default value for the path parameter when used for an extract action. v On Linux and UNIX operating systems only, when specified with the restore action, specifies the directory where the files from the archive file are restored. By default, this path is one used during the backup process. On Windows operating systems, the restore process does not support the path parameter. On Windows operating systems, the files are restored to their original directory. usage Displays the syntax and an example for this utility.
Availability
This utility is located in one of the following default installation directories: On Linux and UNIX operating systems:
/opt/PolicyDirector/bin
On Windows operating systems:

c:\Program Files\Tivoli\Policy Director\bin
Return codes
Examples
v The following example backs up the Tivoli Access Manager data on a Windows operating system using default values for the archive files:
pdbackup -a backup -list \ c:\program files\tivoli\policy director\etc\pdbackup.lst
If the command is run on December 22, 2005 at 10:22 AM, the pdbackup.lst_22dec2005.10_22.dar archive file is created and stored in the c:\program files\tivoli\policy director\pdbackup\ directory. v The following example backs up the WebSEAL service information on a UNIX operating system and stores the archive in the /var/backup directory:
pdbackup -a backup -list \ /opt/pdweb/etc/pdinfo-amwebbackup.lst \ -path /var/backup
If the command is run on December 22, 2005 at 10:22 AM, the pdinfo-amwebbackup.lst_22dec2005.10_22.tar archive file is created and stored in the /var/pdbackup directory. v The following example backs up the Plug-in for Web Servers files on a Linux operating system and creates the webpi.tar file in the /var/pdback directory:
576
pdbackup
pdbackup -a backup -list \ /opt/pdwebpi/etc/pdwebpi.lst \ -f webpi -p /var/pdback
Independent of when the command is run, the webpi.tar file is created in the /var/pdback directory. The .tar file extension is added to file name during the backup process. v The following example restores the pdbackup.lst_22dec2005.10_22.dar archive file on a Windows operating system from the default location.
pdbackup -a restore -f c:\program files\tivoli\policy \ director\pdbackup\pdbackup.lst_22dec2005.10_22.dar
The file is restored to its original location. On Windows operating systems, files cannot be restored to another location. v The following example restores the amwebbackup.lst_22dec2005.10_22.tar archive file that is stored in the /var/pdbackup directory to the /amwebtest directory:
pdbackup -a restore -f \ /var/pdbackup/amwebbackup.lst_22dec2005.10_22.tar \ -p /amwebtest
v The following example extracts the amwebbackup.lst_22dec2005.10_22.tar archive file that is stored in the /var/pdbackup directory to the /amwebextracttest directory:
pdbackup -a extract -f \ /var/pdbackup/amwebbackup.lst_22dec2005.10_22.tar \ -p /amwebextracttest
577
pdconfig
Configures and unconfigures Tivoli Access Manager components. See the IBM Tivoli Access Manager for e-business: Installation Guide for step-by-step instructions on how to use this utility.
Syntax
pdconfig
Parameters
None.
Availability

Return codes
578
pdjrtecfg
Configures or unconfigures Tivoli Access Manager Runtime for Java. This component enables Java applications to manage and use Tivoli Access Manager security.
Syntax
pdjrtecfg action config host policy_server_host [port policy_server_port] [java_home jre_home] [domain domain_name] [config_type full] [enable_tcd [tcd path]] pdjrtecfg action config config_type standalone pdjrtecfg action config interactive pdjrtecfg action config rspfile properties_file pdjrtecfg action name pdjrtecfg action status [java_home jre_home] pdjrtecfg action unconfig [java_home {jre_home|all}] pdjrtecfg action unconfig interactive pdjrtecfg operations pdjrtecfg help [options] pdjrtecfg usage pdjrtecfg ?
Description
This utility copies Tivoli Access Manager Java libraries to a library extensions directory that exists for a Java runtime that has already been installed on the system. Using this utility does not overwrite JAR files that already exist in the jre_home\lib\ext directory, except the PD.jar file that is overwritten if the file exists. You can install more than one Java runtime on a given machine. The pdjrtecfg utility can be used to configure the Tivoli Access Manager Runtime for Java independently to each of the JREs. Note: Make sure that you use the pdjrtecfg utility and not the PdJrteCfg Java class directly.
Parameters
? Displays the syntax for this utility. action {config|name|status|unconfig} Specifies the action to be performed that is one of the following values:
579
pdjrtecfg
config Configures the Tivoli Access Manager Runtime for Java component. name Retrieves the Tivoli Access Manager Runtime for Java component package name and returns the name value to the pdconfig utility. This parameter is used only by pdconfig. Do not use this parameter from the command line.
status Determines and returns the Tivoli Access Manager Runtime for Java component configuration status information to the pdconfig utility. This parameter is used only by pdconfig. Do not use this parameter from the command line. unconfig Unconfigures the Tivoli Access Manager Runtime for Java component. config_type {full|standalone} Specifies the configuration mode. The default value is full. full Performs all of the required configuration steps, including the generation of the server-side certificate for the policy server.
standalone Performs all of the required configuration steps, except for the generation of the server-side certificate for the policy server. With this configuration, you can use the Tivoli Access Manager Java APIs without requiring a policy server. Typically, this configuration is used during the configuration of a Tivoli Access Manager development environment. domain domain Specifies the local domain name for the Java runtime being configured. A local domain is a Tivoli Access Manager secure domain that is used by programs when no explicit domain is specified. If this parameter is not specified, the local domain will default to the management domain. enable_tcd [tcd path] Enables Tivoli Common Directory (TCD) logging, if not already enabled, and specifies the fully qualified path location to use for common logging. When TCD is enabled, all Tivoli Access Manager message log files will be placed in this common location. help [options] Provides online help for one or more utility options by displaying descriptions of the valid command line options. Alternatively, provides online help about a specific command line parameter. host policy_server_host Specifies the Tivoli Access Manager policy server host name. Valid values include any valid IP host name. Examples:
interactive Specifies the interactive mode, in which the user is prompted for configuration information to configure the Tivoli Access Manager Runtime for Java component. If not specified, the configuration program will run in non-interactive (silent) mode. java_home jre_path Specifies the fully qualified path to the Java runtime (such as the directory
580
pdjrtecfg
ending in JRE). If this parameter is not specified, the home directory for the JRE in the PATH statement will be used. If the home directory for the JRE is not in the PATH statement, this utility fails. During unconfiguration, you can specify the all parameter that unconfigures all configured JREs. operations Prints out all the valid command line options. port policy_server_port Specifies the Tivoli Access Manager policy server port number. The default value is 7135. rspfile properties_file Specifies the fully qualified path and file name of the properties file to use during silent configuration. A properties file can be used for configuration. There is no default properties file name. The properties file contains parameter=value pairs. The following rules apply to properties files: v All slashes in the java_home parameter path must be either: Escaped with a second back slash (\) A single front slash (/) For example:
java_home=c:\\Program Files\\IBM\\Java15
or
java_home=c:/Program Files/IBM/Java15
v The path must not include quotation marks. To use properties files, see Chapter 27, Using response files, on page 607. usage Displays the syntax for this utility.
Availability

Return codes
581
pdjrtecfg
Examples
v The following example configures the Tivoli Access Manager Runtime for Java component:
pdjrtecfg -action config -host sys123.acme.com -port 7135 -java_home e:\apps\IBM\java15sr2\jre
v The following example unconfigures the Tivoli Access Manager Runtime for Java component:
pdjrtecfg -action unconfig -java_home e:\apps\IBM\java15sr2\jre
582
pdproxycfg
Configures or unconfigures a policy proxy server.
Syntax
pdproxycfg action config admin_id admin_id admin_pwd password policysvr policy_server_name admin_port policy_server_port host proxy_server_name proxy_port proxy_server_port ssl_enabled {yes|no} keyfile keyfile key_pwd password key_label label ssl_port ssl_port pdproxycfg action config rspfile response_file pdproxycfg action config interactive {yes|no} pdproxycfg action unconfig interactive {yes|no} pdproxycfg operations pdproxycfg help [options] pdproxycfg usage pdproxycfg ?
Description
Use the pdproxycfg utility to configure a policy proxy server from the command line. The utility can be run in interactive mode, command line mode, or response file mode. In interactive mode, the user is prompted to supply the necessary values. In command line mode, all options can be specified from the command line. In response file mode, the utility obtains the necessary parameters from the response file. When the response file does not contain a necessary parameter, the user is prompted to supply it. The response file must be created manually.
Parameters
? Displays the syntax for this utility. action {config|name|status|unconfig} This parameter takes one of the following arguments: config Configures a policy proxy server. name Retrieves the policy proxy server name and returns the name value to the pdconfig utility. This parameter is used only by the pdconfig utility. Do not use this parameter from the command line.
status Returns the status value to the pdconfig utility. This parameter is used only by the pdconfig utility . Do not use this parameter from the command line. unconfig Unconfigures a policy proxy server. admin_id admin_id Specifies the name of the administrative user in the Default domain. Because the policy proxy server represents the policy server, and therefore
583
pdproxycfg
is able to represent all of the defined domains at the policy server, the policy proxy server must be configured into the Default domain. The default value is sec_master. admin_port policy_server_port Specifies the port number of the Tivoli Access Manager policy server. The default port number is 7139. admin_pwd password Specifies the password of the administrative user. The default value is sec_master. help [options] Returns online help for one or more utility options by displaying descriptions of the valid command line options. Alternatively, provides online help about a specific command line option. host proxy_server_name Specifies the host name that is used by the policy server to contact the policy proxy server. Valid values include any valid IP host name. For example:
interactive {yes|no} Specifies that the configuration is to be done interactively by the administrator (yes) or silently (no). key_label label Specifies the label of the SSL LDAP client certificate. This parameter is used only when SSL communication is enabled between the policy proxy server and an LDAP server. key_pwd password Specifies the password of the LDAP SSL key file. This parameter is required only when SSL communication is enabled between the policy proxy server and the LDAP server. keyfile keyfile Specifies the LDAP SSL key file. This parameter is required only when SSL communication is enabled between the policy proxy server and an LDAP server. operations Prints out all the valid command line options. policysvr policy_server_name Specifies the host name of the Tivoli Access Manager policy server or other policy proxy server that can be used for configuration and unconfiguration. proxy_port proxy_server_port Specifies the port on which the policy proxy server listens for incoming proxy requests. The default value is 7138. rspfile response_file Specifies the fully qualified path and file name of the response file to use during silent configuration. A response file can be used for configuration. There is no default response file name. The response file contains stanzas and parameter=value pairs. To use response files, see the procedures in the IBM Tivoli Access Manager for e-business: Installation Guide.
584
pdproxycfg
ssl_enabled {yes|no} Specifies whether to enable SSL communication between the policy proxy server and the LDAP server. Valid indicators are yes or no. ssl_port ssl_port The port number on which SSL communication takes place between the policy proxy server and the LDAP server. This parameter is used only when SSL communication is enabled between the policy proxy server and an LDAP server. usage Displays the syntax for this utility.
Availability
/opt/PolicyDirector/sbin/

Return codes
Examples
v The following example configures a policy proxy server with SSL communication enabled with an LDAP server:
pdproxycfg action config host diamond.subnet2.ibm.com \ proxy_port 7234 admin_id sec_master admin_pwd mypassw0rd \ policysvr libra.subnet2.ibm.com -admin_port 7242 ssl_enabled yes \ keyfile /tmp/client.kdb key_pwd mypassw0rd key_label ibm_cert \ ssl_port 636
585
pdsmsclicfg
Configures the command line administration utility for the session management server.
Syntax
pdsmsclicfg action config [rspfile response_file] [interactive {yes|no}] [tam_integration {yes|no}] [aznapi_app_config_file path_name] [webservice_location host:port[,host:port...]] [instances name1,name2] [-ssl_enable {yes|no}] [sslkeyfile path] [sslkeyfile_stash path] [sslkeyfile_label label] pdsmsclicfg action unconfig pdsmsclicfg action name pdsmsclicfg action version pdsmsclicfg action upgrade
Description
The pdsmsclicfg utility configures or unconfigures the session management server command line administration utility. A log of the configuration progress is written to the msg_pdsmsclicfg.log log file, which is located in the /var/pdsms/log directory on Linux and UNIX operating systems and in the installation_directory\ log directory on Windows operating systems. This utility can be run either interactively, where the user is prompted to provide configuration information, or silently, where the utility accepts input from a response file or the command line. If integration with Tivoli Access Manager is enabled during configuration, the program prompts the user to specify the path to the configuration file for an already configured aznapi application. The program prompts the user to specify the location of the Web service. The location of the Web service is defined by a host name and port that are separated by a semicolon. The user can specify multiple locations, when each location is separated by a comma. If this Web service uses a secure connection, the program prompts the user for the SSL options. You must also specify the session management server instance(s). The configuration information is saved to /opt/pdsms/etc/pdsmsclicfg.conf. The presence of this configuration file is used to determine the configuration status of the utility. The command line executable on Windows is pdsmsclicfg-cl.exe.
Parameters
action {config|unconfig|upgrade|name|version} Specifies the action to be performed that is one of the following values: config Configures the command line administration utility. unconfig Fully unconfigures the command line administration utility. No other parameters are required.
586
pdsmsclicfg
name Displays the translated "Session Management Command Line" name. No other options are required.
upgrade Performs a configuration upgrade from a previous version. version Displays the version number for the currently installed SMS CLI package. rspfile response_file Specifies the fully qualified path and file name of the response file to use during silent configuration. A response file can be used for configuration. There is no default response file name. The response file contains stanzas and parameter=value pairs. To use response files, see the procedures in the IBM Tivoli Access Manager for e-business: Installation Guide. interactive {yes|no} Indicates whether the configuration is interactive. The default value is yes. tam_integration {yes|no} Specifies whether integration with the Tivoli Access Manager administration framework is required. The default value is no. aznapi_app_config_file path_name Specifies the fully qualified name of the configuration file for the hosting authorization server. Only required if Tivoli Access Manager integration is enabled. webservice_location host:port Specifies the location of the session management server Administration Web service. The location is the name of the hosting server and the port on which the Web service resides. Multiple locations can be specified. When specifying multiple locations, separate the locations with commas. instances name1,name2 The session management server instances which are to be administered. The instance names should be separated by a comma. The default value is DSess. ssl_enable {yes|no} Indicates whether SSL communication with the Web server should be enabled. sslkeyfile path Specifies the fully qualified name of the SSL key file to use when communicating with the session management server Web service. Use this parameter only when the ssl_enable parameter is set to yes. sslkeyfile_label label Specifies the SSL key file label of the certificate to be used. Use this parameter only when the ssl_enable parameter is set to yes. sslkeyfile_stash path Specifies the fully qualified name of the stash file that contains the password for the SSL key file. Use this parameter only when the ssl_enable parameter is set to yes.
Availability
587
pdsmsclicfg
/opt/pdsms/bin

c:\Program Files\Tivoli\PDSMS\bin
To invoke the command line under Windows, use pdsmsclicfg-cl.exe. The pdsmsclicfg command will invoke the wizard. When an installation directory other than the default is selected, this utility is located in the /bin directory under the installation directory (for example, installation_directory/bin).
Return codes
0 The utility completed successfully. non-zero The utility failed. When a utility fails, a description of the error and an error status code in hexadecimal format is provided (for example, 0x15c3a00c). Refer to the IBM Tivoli Access Manager for e-business: Error Message Reference. This reference provides a list of the Tivoli Access Manager error messages by decimal or hexadecimal codes.
588
pdversion
Lists the current version of Tivoli Access Manager components that are installed on the system.
Syntax
pdversion [key key1, key2...keyX] [separator delimiter_character]
Parameters
key key1, key2...keyX Specifies the component or components for which the current version will be presented. Possible values are as follows: v pdacld v pdadk v pdjrte v pdmgr v pdproxy v pdrte v pdsms v pdweb v pdwebars v pdwebadk v pdwpi v pdwsl v pdwpm separator delimiter_character Specifies the separator that is used to delimit the description of the component from its version.
Availability

Return codes
Examples
v The following example lists the base components of Tivoli Access Manager:
589
pdversion
> pdversion IBM IBM IBM IBM IBM IBM IBM Tivoli Tivoli Tivoli Tivoli Tivoli Tivoli Tivoli Access Access Access Access Access Access Access Manager Manager Manager Manager Manager Manager Manager Runtime Policy Server Policy Proxy Server Web Portal Manager Application Developer Kit Authorization Server Runtime for Java 6.1.1.0 6.1.1.0 Not Installed Not Installed 6.1.1.0 6.1.1.0 Not Installed
v The following example lists the Tivoli Access Manager Runtime package (PDRTE) and specifies X as the delimiter to separate the component description from its version:
> pdversion -key pdrte -separator X IBM Tivoli Access Manager RuntimeX6.1.0.0
590
pdwpicfg
Configures or unconfigures the Plug-in for Web Servers.
Syntax
pdwpicfg action config admin_id admin_id admin_pwd password auth_port port_number web_server {iis|iplanet|ihs|apache} iis_filter {yes|no} web_directory installation_directory vhosts virtual_host_id ssl_enable {yes|no} keyfile keyfile key_pwd password key_label label ssl_port port_number pdwpicfg action config interactive {yes|no} pdwpicfg action config rspfile response_file pdwpicfg action unconfig admin_id admin_id admin_pwd password force {yes|no} remove {none|acls|objspace|all} vhosts virtual_host_id pdwpicfg action unconfig interactive {yes|no} pdwpicfg operations pdwpicfg help [options] pdwpicfg usage pdwpicfg ?
Parameters
? Displays the syntax and an example for this utility. action {config|unconfig} Indicates the action to perform. This parameter takes one of the following values: config Configures the Tivoli Access Manager Plug-in for Web Servers. unconfig Unconfigures the Tivoli Access Manager Plug-in for Web Servers. admin_id admin_id Specifies the administration user identifier (the administrative user is normally sec_master). admin_pwd password Specifies the password for the administrative user. auth_port port_number Specifies the port number of the authorization server. The default value is 7237. help [options] Lists the name of the parameter and a short description. If one or more options are specified, it lists each parameter and a short description. interactive {yes|no} Enables interactive mode for the utility if yes; otherwise, disables interactive mode for the utility. The default value is yes.
591
pdwpicfg
iis_filter {yes|no} Enables the Internet Information Server (IIS) filtering if yes; otherwise, disables the IIS filtering. keyfile keyfile Specifies the LDAP SSL key file. There is no default value. Specify this parameter when you are not running the utility in interactive mode and when you have enabled SSL between the Plug-in for Web Servers and LDAP. key_label label Specifies the LDAP SSL key label. There is no default value. Specify this parameter when you are not running the utility in interactive mode and when you have enabled SSL between the Plug-in for Web Servers and LDAP. key_pwd password Specifies the LDAP SSL key file password. operations Lists each of the parameter names, one after another, without a description. remove {none|acls|objspace|all} Specifies whether to remove the object space or the ACLs or both as part of the unconfiguration process. The default value is none. rspfile response_file Specifies the fully qualified path and file name of the response file to use during silent configuration. A response file can be used for configuration. There is no default response file name. The response file contains stanzas and parameter=value pairs. To use response files, see the procedures in the IBM Tivoli Access Manager for e-business: Installation Guide. ssl_enable {yes|no} Enables SSL communications with LDAP if yes; otherwise, disables SSL communications with LDAP. The default value is yes. ssl_port port_number Specifies the LDAP SSL port. The default value is 636. usage Displays the syntax and an example for this utility. vhosts virtual_host_id Specifies the identifiers of the virtual hosts to protect. The value should be in the format of a comma separated list of virtual host IDs. There should be no spaces between the virtual host IDs. web_directory installation_directory Specifies the Web server installation directory. web_server {iis|iplanet|ihs|apache} Specifies the Web server type on which the Plug-in for Web Servers is to be installed. This parameter defaults to the type and location of the configured Web server. The following choices are supported: ihs iis iplanet For Sun Java System Web Server or Sun ONE Web Server For IBM HTTP Server For Internet Information Server
592
pdwpicfg
apache For the Apache Server
Availability
/opt/pdwebpi/bin

C:\Program Files\Tivoli\pdwebpi\bin
Return codes
0 1 The utility completed successfully. The utility failed. When a utility fails, a description of the error and an error status code in hexadecimal format is provided (for example, 0x14c012f2). Refer to the IBM Tivoli Access Manager for e-business: Error Message Reference. This reference provides a list of the Tivoli Access Manager error messages by decimal or hexadecimal codes.
593
smscfg
Deploys and configures the session management server.
Syntax
smscfg action {config|unconfig|deploy|undeploy|extract|upgrade|revert|} Configuration smscfg action config [interactive {yes|no}] [rsp_file file_name] [record file_name] [was_port port] [was_enable_security {yes|no}] [was_admin_id administrator_id] [was_admin_pwd password] [trust_store file_name] [trust_store_pwd password] [keyfile file_name] [key_pwd password] [instance instance_name] [enable_session_limit_policy {yes|no}] [session_realm realm:max_login=replica_set1_name,replica_set2_name,...] [session_realm_remove realm_name] [enable_tcd {yes|no}] [tcd fully_qualified_directory_name] [enable_tam_integration {yes|no}] [policysvr_host host_name] [policysvr_port port] [admin_id administrator_id] [admin_pwd password] [domain domain] [authzsvr host_name:port:rank] [cred_refresh_rule rule] [enable_last_login {yes|no}][enable_last_login_database {yes|no}] [last_login_table last_login_database_table_name] [last_login_max_entries max_number_memory_entries] [last_login_jsp_file file_name] [last_login_jsp server_jsp_name][enable_database_session_storage {yes|no}][enable_auditing {yes|no}][auditing_properties file_name][key_lifetime key_lifetime] [client_idle_timeout timeout] Configuration with response file smscfg action config rspfile file_name Configuration, interactive smscfg action config interactive Unconfiguration smscfg action unconfig [interactive {yes|no}] [rspfile file_name] [record file_name] [was_port port] [was_enable_security {yes|no}] [was_admin_id administrator_id] [was_admin_pwd password] [trust_store file_name] [trust_store_pwd password] [keyfile file_name] [key_pwd password] [instance instance_name] [admin_id administrator_id] [admin_pwd password] [remove_last_login_db {yes|no}] Unconfiguration, response file smscfg action unconfig rspfile file_name Unconfiguration, interactive smscfg action unconfig interactive Deployment smscfg action deploy [interactive {yes|no}] [rspfile file_name] [record file_name] [was_port port] [was_enable_security {yes|no}] [was_admin_id administrator_id] [was_admin_pwd password] [trust_store file_name] [trust_store_pwd password] [keyfile file_name] [key_pwd password] [instance instance_name] [enable_database_storage {yes|no}][database_name database_name][virtual_host host_name] [clustered {yes|no}] [was_node node_name] [was_server server_name] [was_cluster cluster_name] Undeployment smscfg action undeploy [interactive {yes|no}] [rspfile file_name]
594
smscfg
[record file_name] [was_port port] [was_enable_security {yes|no}] [was_admin_id administrator_id] [was_admin_pwd password] [trust_store file_name] [trust_store_pwd password] [keyfile file_name] [key_pwd password] [instance instance_name] Extract smscfg action extract [interactive {yes|no}] [rspfile file_name] [record file_name] [was_port port] [was_enable_security {yes|no}] [was_admin_id administrator_id] [was_admin_pwd password] [trust_store file_name] [trust_store_pwd password] [keyfile file_name] [key_pwd password] [instance instance_name] Upgrade smscfg action upgrade [interactive {yes|no}] [rspfile file_name] [record file_name] [was_port port] [was_enable_security {yes|no}] [was_admin_id administrator_id] [was_admin_pwd password] [trust_store file_name] [trust_store_pwd password] [keyfile file_name] [key_pwd password] [instance instance_name] Revert smscfg action revert [interactive {yes|no}] [rspfile file_name] [record file_name] [was_port port] [was_enable_security {yes|no}] [was_admin_id administrator_id] [was_admin_pwd password] [trust_store file_name] [trust_store_pwd password] [keyfile file_name] [key_pwd password] [instance instance_name] Utility help smscfg help option smscfg usage smscfg ?
Description
The smscfg utility deploys, configures or unconfigures session management server instances. It can also be used to extract the session management server configuration, or to install and remove fixpack upgrades. A log of the configuration progress is written to msg_smscfg.log log file that is located in the /var/pdsms/log directory on Linux and UNIX operating systems and in the installation_directory\log directory on Windows operating systems. This utility can be run either interactively, where the user is prompted to provide configuration information, or silently, where the utility accepts input from a response file.
Parameters
? Displays the syntax and an example for this utility. action {deploy|config|unconfig|undeploy|extract} Specifies the action to be performed that is one of the following values: deploy Deploys the session management server instance to a WebSphere Application Server. undeploy Removes a session management server instance from a WebSphere Application Server.
595
smscfg
config Configures or reconfigures a deployed session management server instance. unconfig Unconfigures a session management server instance. extract Extracts the configuration information from a session management server instance. upgrade Upgrades to a new session management server fixpack. revert Reverts to the previous session management server fixpack. admin_id administrator_id Specifies the Tivoli Access Manager administration ID. The default value is sec_master. This parameter is required when enable_tam_integration is set to yes. admin_pwd password Specifies the password for the Tivoli Access Manager administrator. This parameter is required when you specify the admin_id parameter. auditing_properties file_name Specifies the path to the properties file which contains the configuration of the auditing component. authzsvr host_name:port:rank Specifies the host name, port number, and rank of the Tivoli Access Manager authorization server. This optional parameter can be specified multiple times. A Tivoli Access Manager authorization server is required to use these session refresh capabilities or to use certificates that are issued by the Tivoli Access Manager policy server to authenticate session management clients. The default value is localhost:7136:1. client_idle_timeout timeout Specifies the client idle timeout in seconds after which a client is considered idle. A client is considered idle if it is not actively requesting updates from the session management server. This parameter is optional. clustered {yes|no} Whether the application will be deployed to a WebSphere cluster. The default value is no. cred_refresh_rule rule Specifies rules to preserve when a user's credential is refreshed. The default credential refresh rule set is preserve=tagvalue_*. database_name database Specifies the name of the of the WebSphere JDBC data source that the session management server uses to access the database that it uses to store its data. There is no default value. domain domain Specifies the name of the Tivoli Access Manager policy domain. This parameter is required when enable_tam_integration is set to yes. The default value is Default. enable_auditing {yes|no} Indicates whether or not auditing is required. The default value is no.
596
smscfg
enable_database_storage {yes|no} Indicates whether database storage is required. The parameter is only meaningful in the context of WebSphere Application Server single server deployments. If the application is deployed to a cluster, this parameter is redundant. The default value is no. Setting this parameter to no sets the database configuration to the WebSphere default resource reference, normally jdbc/DataSource. enable_database_session_storage {yes|no} Indicates whether storage of session data to a database is required. The default value is no. enable_last_login {yes|no} Indicates whether last login information is stored. When set to yes, you must specify the following parameters or accept their default values: v last_login_jsp_file v last_login_max_entries v last_login_table The default value is no (not to enable the recording of last login information). The enable_last_login field is only required if installing into a stand alone application server. When installing into a cluster this field is not required. enable_last_login_database {yes|no} Indicates whether last login information is stored to a database. The default value is no. enable_tam_integration {yes|no} Indicates whether to enable integration with Tivoli Access Manager or to change enablement. When set to yes, you must specify the following parameters or accept their default values, where applicable: v policysvr_host v policysvr_port v authzsvr v admin_id v admin_pwd v domain The default value is no. enable_tcd {yes|no} Indicates whether Tivoli Common Directory logging is required. When set to yes, you must specify the tcd parameter. The default value is no. enable_session_limit_policy {yes|no} Specifies whether to enable session limit and displacement policy. The default value is yes. help [options] Lists the name of the utility parameter and a short description. If one or more options are specified, it lists each parameter and a short description. instance instance_name Specifies the name of the instance to be administered. The default value is DSess. interactive {yes|no} Indicates whether the configuration is interactive. The default value is yes. key_lifetime lifecycle Specifies the lifetime in seconds of the key for the session management
597
smscfg
server. After the defined lifecycle completes, a new key is generated. If this value is set to zero, keys are not automatically generated. This parameter is optional. key_pwd password Specifies the password to access the server-side certificates. This parameter is required when you specify the keyfile parameter. Otherwise, this parameter is optional. keyfile file_name Specifies the fully qualified name for the key store when making a secure connection to WebSphere Application Server. The key store holds the server-side certificates. This parameter is required when you specify the was_admin_id parameter. Otherwise, this parameter is optional. last_login_jsp server_jsp_name The server-side path for the last login JSP file. This is an optional argument. last_login_jsp_file file_name Specifies the fully qualified name of the last login JSP file to use for recording last login information. This parameter is required when the enable_last_login parameter is set to yes. The default value is installation_directory/etc/lastLogin.jsp Note: Configuration of the lastLogin.jsp file can produce a long Web browser URL, which could exceed the limits imposed by some proxy servers. To avoid this, access the WebSphere ISC using a direct connection to the Internet. last_login_max_entries maximum_entries Specifies the maximum number of entries to be stored in the memory cache for recording last login information. This parameter is required when the enable_last_login parameter is set to yes. The default value is 0. The last_login_max_entries field is only required if installing into a stand alone application server. When installing into a cluster this field is not required. last_login_table table_name Specifies the name of the database table to use for recording last login information. This parameter is required when the enable_last_login parameter is set to yes. The default value is AMSMSUSERINFOTABLE. operations Lists each of the parameter names, one after another, without a description. policysvr_host host_name Specifies the host name of the Tivoli Access Manager policy server. This parameter is required when enable_tam_integration is set to yes. policysvr_port port Specifies the port of the Tivoli Access Manager policy server. This parameter is required when you specify the host parameter. record file_name Specifies the name of the response file to which configuration parameters will be recorded. remove_last_login_db {yes|no} Indicates whether the last login database should be removed. The default value is no.
598
smscfg
rspfile response_file Specifies the fully qualified path and file name of the response file to use during silent configuration. A response file can be used for configuration. There is no default response file name. The response file contains stanzas and parameter=value pairs. To use response files, see the procedures in the IBM Tivoli Access Manager for e-business: Installation Guide. session_realm [realm[:max_logins]=replica_set1, replica_set2,...] A session realm to add to the configuration. If the session realm name or any of the replica set names contain spaces, the entire argument must be specified within quotes. The max_logins parameter is used to specify the maximum number of concurrent logins which are permitted for the session realm. If the max_logins parameter is not supplied there will be an unlimited number of concurrent logins allowed for the session realm. Replica set names must be separated by commas. session_realm_remove realm=set_name[,...][;realm=set_name[,...]...] The name of a session realm which is to be removed. If the session realm name contain spaces, the entire argument must be specified within quotes. tcd path_name Specifies the fully qualified directory to be used for Tivoli Common Directory logging. This parameter is required when enable_tcd is set to yes. If the Tivoli common directory has already been configured on the target system, this option will be ignored. trust_store file_name Specifies the fully qualified name for the trust store when making a secure connection to WebSphere Application Server. The trust store holds the client-side certificates. This parameter is required when you specify the was_admin_id parameter. trust_store_pwd password Specifies the password to access the client-side certificates. This parameter is required when you specify the trust_store parameter. usage Displays the syntax and an example for this utility. virtual_host host_name Specifies the name of the WebSphere virtual host to which to deploy the session management server application. If not specified, the application is deployed on the default virtual host. was_admin_id administrator_id Specifies the name of the administrator to use when making a secure connection to WebSphere Application Server. In interactive mode, this parameter is optional unless you are making a secure connection. When you use this parameter, you must specify the was_admin_pwd parameter. When not making a secure connection, this parameter is optional. was_admin_pwd password Specifies the administrator's password to use when making a secure connection to WebSphere Application Server. was_cluster cluster_name Specifies the name of the WebSphere cluster to which to deploy the session management server application. This parameter is mutually exclusive with the was_server parameter.
599
smscfg
When using WebSphere Network Deployment and was_cluster is specified and there is only one cluster, the application is deployed to that cluster. When using WebSphere Network Deployment and was_cluster is specified and there is no cluster but there is only one server, the application is deployed to that server. was_enable_security {yes|no} Indicates whether the communication with the WebSphere server uses a secure connection. When set to yes, you must specify the following parameters: v was_admin_id v was_admin_pwd v trust_store v trust_store_pwd v keyfile v key_pwd The default value is no. was_node node_name Specifies the name of the WebSphere node. This parameter is optional. was_port port Specifies the simple object access protocol (SOAP) port to use on the WebSphere server. This parameter is always required unless the interactive parameter is set to yes. was_server server_name Specifies the name of the WebSphere server to which to deploy the session management server application. This parameter is mutually exclusive with the was_cluster parameter. When using WebSphere Application Server (a single server deployment) and was_server is not specified, the application is deployed to the server to which this configuration utility is connected.
Availability
/opt/pdsms/bin

c:\Program Files\Tivoli\PDSMS\bin
Return codes
0 The utility completed successfully. non-zero The utility failed. When a utility fails, a description of the error and an error status code in hexadecimal format is provided (for example, 0x15c3a00c). Refer to the IBM Tivoli Access Manager for e-business: Error Message Reference. This reference provides a list of the Tivoli Access Manager error messages by decimal or hexadecimal codes.
600
svrsslcfg
Configures, unconfigures, or modifies the configuration information of a resource manager to use an SSL connection for communicating with the policy server. This utility is used for C application servers only. For Java application servers, use the equivalent com.tivoli.pd.jcfg.SvrSslCfg Java class. For information about this Java class, see the IBM Tivoli Access Manager for e-business: Authorization Java Classes Developer Reference.
Syntax
svrsslcfg add_replica f cfg_file h host_name [p server_port] [k replica_rank] svrsslcfg chg_replica f cfg_file h host_name [p server_port] [k replica_rank] svrsslcfg chgcert f cfg_file [P password] [A admin_id] svrsslcfg chgport f cfg_file r port_number svrsslcfg chgpwd f cfg_file e password_life svrsslcfg config f cfg_file d kdb_dir s server_moder port_number P password [S password] [A admin_id] [t ssl_timeout] [e password_life] [l listening_mode] [a refresh_mode] [C cert_file] [h host_name] [o login_domain] [g group_list] [D description] svrsslcfg modify f cfg_file [t ssl_timeout] [C cert_file] [l listening_mode] svrsslcfg rmv_replica f cfg_file h host_name svrsslcfg unconfig f cfg_file n appl_name [P password] [A admin_id] [h host_name] [o login_domain]
Parameters
a refresh_mode Sets the certificate and key file password auto-refresh entry in the configuration file. The default value is yes. A admin_id Specifies the name of the Tivoli Access Manager administrator. The default value is sec_master. A valid administrative ID is an alphanumeric, case-sensitive string. String values are expected to be characters that are part of the local code set. You cannot use a space in the administrative ID. For example, for U.S. English the valid characters are the letters a-Z, the numbers 0-9, a period (.), an underscore (_), a plus sign (+), a hyphen (-), an at sign (@), an ampersand (&), and an asterisk (*). If there are limits, the minimum and maximum lengths of the ID are imposed by the underlying registry. See Appendix B, User registry differences, on page 637. add_replica Adds an authorization server replica to the configuration of a resource manager. A resource manager can contact a replica server to perform authorization decisions.
601
svrsslcfg
C cert_file Specifies the fully qualified name of the file containing the base-64 encoded SSL certificate used when the server authenticates directly with the user registry. chg_replica Changes attributes for the replica server. The replica host name is used to identify the replica server and cannot be changed by this action. chgcert Renews the SSL certificate of the resource manager. Before running this action, stop the policy server. The certificate renewal process is as follows: v When an initial request for a certificate is made, a new public/private key pair is generated for the resource manager along with the certificate request. The certificate request that contains the new public key for the resource manager, is sent to the Tivoli Access Manager policy server. The Tivoli Access Manager policy server signs the request and sends the newly signed certificate back to the resource manager. The resource manager stores the signed certificate in a secure keystore and also stores the new private key for the resource manager. The lifetime of the new certificate is determined by the Tivoli Access Manager policy server ssl-cert-life entry in the ivmgrd.conf configuration file. This parameter determines the number-of-days value for the lifetime of a certificate. Any issued or renewed certificates must use this value. The default value is 1460. v The certificate for a resource manager must be renewed if it has expired or if it has been compromised. Also, it must be renewed to adhere to any changes in the security policy. If both the certificate and the password to the key database file that contains the certificate expire, the password must be refreshed first. chgport Changes the listening port for a resource manager. Before running this action, stop the policy server. chgpwd Changes the key file password for a resource manager. Before running this action, stop the policy server. config Performs a full configuration of a resource manager. D description Specifies a description for the application. A valid description is an alphanumeric string that is not case-sensitive. String values are expected to be characters that are part of the local code set. Spaces are allowed. If the description contains a space, ensure that you enclose the description in double quotation marks. d kdb_dir Specifies the directory that is to contain the key files for the server. A valid directory name is determined by the operating system. Do not use relative directory names. For example: On Linux and UNIX operating systems /opt/PolicyDirector/keytab/ivmgrd.kbd
602
svrsslcfg
On Windows operating systems C:\Program Files\Tivoli\Policy Director\keytab\ivmgrd.kbd Make sure that server user (for example, ivmgr) or all users have permission to access the .kdb file and the folder that contains the .kdb file. e password_life Sets the key file password expiration time in days. This parameter is required. v Specify 0 to use the currently configured value. v Specify 183 days if the currently configured value cannot be determined. v Otherwise, valid values are from 1 to 7299. During a configuration action (config) the default value is 183. f cfg_file Specifies the configuration path and file name. A file name should be an absolute file name (fully qualified file name) to be valid. For example: On Linux and UNIX operating systems /opt/PolicyDirector/etc/activedir.conf On Windows operating systems C:\Program Files\Tivoli\Policy Director\etc\activedir.conf g group_list Specifies a list of groups to which this server should be added. The following names are not permitted in this list: ivacld_servers and remote_acl_users. The list of names must be separated by commas with no white space. If a group name contains a space, the entire list must be enclosed in double quotation marks. h host_name For a configuration action (config) or an unconfiguration action (unconfig), specifies the TCP host name used by the policy server to contact this server. v During a configuration action, this name is saved in the configuration file using the azn-app-host key. The default is the local host name returned by the operating system. v If not specified during an unconfiguration action, the value is retrieved from the configuration file. The default value will be used only if a value cannot be determined from the configuration file. The default is the local host name returned by the operating system. For all other actions, specifies the TCP host name of an authorization server replica. Valid values include any valid IP host name. Examples:
k replica_rank Specifies the replica order of preference among other replicas. Replica servers with higher ranks are used preferentially. For example, a resource manager contacts a replica server with a ranking of 10 before contacting a replica server with a ranking of 9. The default value is 10. l listening_mode Sets the listening-enabled entry in the configuration file. The value must be yes or no. If not specified, the default is no. A value of yes requires that the r parameter have non-zero value.
603
svrsslcfg
modify Changes the current configuration of a resource manager. Before running this action, stop the policy server. This action fails only if you are not authorized to run the utility or the policy server could not be contacted. This action is designed to clean up a partial or damaged configuration and to ensure that errors are not reported for information that is not valid and for information that is missing. n appl_name Specifies the name of the application. The name is combined with the host name to create unique names for Tivoli Access Manager objects created for your application. The following names are reserved for Tivoli Access Manager applications: ivacld, secmgrd, ivnet, and ivweb. o login_domain Specifies the domain name for the domain to which this server is configured. This domain must exist and an the administrator ID and password must be valid for this domain. If not specified, the local domain that was specified during Tivoli Access Manager runtime configuration will be used. The local domain value will be retrieved from the configuration file. A valid domain name is an alphanumeric, case-sensitive string. String values are expected to be characters that are part of the local code set. You cannot use a space in the domain name. For example, for U.S. English the valid characters for domain names are the letters a-Z, the numbers 0-9, a period (.), an underscore (_), a plus sign (+), a hyphen (-), an at sign (@), an ampersand (&), and an asterisk (*). The minimum and maximum lengths of the domain name, if there are limits, are imposed by the underlying registry. See Appendix B, User registry differences, on page 637. p server_port Specifies the port number on which the replica server listens for requests. The default value is 7136. P password Specifies the password for the Tivoli Access Manager administrator user (admin_id). If this parameter is not specified, the administrator is prompted, and the password is read from standard input (stdin). r port_number Sets the listening port number for the server. A value of 0 can be specified only if the [aznapi-admin-services] stanza in the configuration file is empty. During a configuration action (config) this parameter is required. rmv_replica Removes an authorization server replica from the configuration of a resource manager. s server_mode Specifies the mode in which the application will operate. This value must be either local or remote. S password Specifies the server password. This parameter is required. A password is created by the system and the configuration file is updated with the
604
svrsslcfg
password created by the system. It is saved as an obfuscated value using the pd-user-pwd stanza entry in the [aznapi-configuration] stanza in the configuration file specified with the f parameter. If this parameter is not specified, the server password will be read from standard input. t ssl_timeout Specifies the SSL session timeout in seconds. The value must be in the range 1 to 86400. The default value is 7200. unconfig Unconfigures a resource manager. The key files are deleted and the server is removed from the user registry and Tivoli Access Manager database. Before running this utility, stop the server application.
Availability

Return codes
605
606
Chapter 27. Using response files

You can create response files to streamline the installation and configuration of Tivoli Access Manager components. A response file is a text file that contains the product and system information needed to install and configure components. It is useful for performing unattended (silent) installations. The installation process reads the information from the response file instead of prompting you to fill in the blanks. You can also reuse a response file for future installations, using a text editor to add components or to customize options. Response file templates are located in the /rspfile directory on the IBM Tivoli Access Manager Base CD, the IBM Tivoli Access Manager Web Security CD, the IBM Tivoli Access Manager Shared Session Management CD, and the IBM Tivoli Access Manager Language Support CD. Edit the values in an options file template and then run the script as follows:
install_amrte -options filename
where filename is the name of the options file. For example:

install_amrte -options d:\temp\install_amrte.options
Note: Response files are not available for all Tivoli Access Manager components.
Prerequisite systems
Table 54 lists options file templates for installation of Tivoli Access Manager Prerequisite systems using the installation wizard method.
Table 54. Installation wizard options file templates Installs and configures the following Tivoli Access Manager prerequisite system: IBM Tivoli Directory Server with IBM DB2 Template
install_ldap_server.options.template The IBM Tivoli Directory Server with IBM DB2 template is located in the \rspfile directory on the first IBM Tivoli Access Manager Directory Server CD for the supported platform.
Base systems
Table 55 lists options file templates for installation of Tivoli Access Manager base systems using the installation wizard method. These templates are located in the \rspfile directory on IBM Tivoli Access Manager Base CDs for the supported platform.
Table 55. Installation wizard options file templates Installs and configures the following Tivoli Access Manager Base system: Access Manager Authorization Server Template install_amacld.options.template
607
Table 55. Installation wizard options file templates (continued) Installs and configures the following Tivoli Access Manager Base system: Access Manager Application Development Kit (ADK) Access Manager Runtime for Java Access Manager Policy Server Access Manager Policy Proxy Server Access Manager Runtime Access Manager Web Portal Manager Template install_amadk.options.template install_amjrte.options.template install_ammgr.options.template install_amproxy.options.template install_amrte.options.template install_amwpm.options.template
Response files are also available for configuration using native installation utilities for the following Tivoli Access Manager components.
Table 56. Response file templates for configuration using native installation utilities Configures the following Tivoli Access Manager Base system: Access Manager Web Portal Manager (configuration) Access Manager Runtime for Java (configuration) Access Manager Policy Proxy Server (configuration) Template amwpmcfg.rsp.template pdjrtecfg.rsp.template pdproxycfg.rsp.template
Web security systems

Table 57 lists options file templates for installation of Tivoli Access Manager components using the installation wizard method. These templates are located in the \rspfile directory on IBM Tivoli Access Manager Web Security CDs for the supported platforms.
Table 57. Installation wizard s Installs and configures the following Tivoli Access Manager Web security system: Access Manager WebSEAL Access Manager Web Security Application Development Kit (ADK) Access Manager Attribute Retrieval Service Access Manager Plug-in for Web Servers Template
install_amweb.options.template install_amwebadk.options.template install_amwebars.options.template install_amwpi.options.template
Response files are also available for configuration using native installation utilities for the following Tivoli Access Manager components.
Table 58. Response file templates for configuration using native installation utilities Tivoli Access Manager component Access Manager WebSEAL (configuration) Access Manager WebSEAL (unconfiguration) Template amweb_config.rsp.template amweb_unconfig.rsp.template
608
Session management systems

Table 59 lists options file templates for installation of Tivoli Access Manager session management systems using the installation wizard method. These templates are located in the \rspfile directory on IBM Tivoli Access Manager Shared Session Management CDs for the supported platform.
Table 59. Installation wizard options file templates Installs and configures the following Tivoli Access Manager session management system: Session management server Session management command line Template
install_amsms_options.template install_amsmscli_options.template
Note: Response files are not available for all Tivoli Access Manager components.
Response file template

The following is an example of a template used to create a response file to install and configure a policy server system. For descriptions of the configuration options that you require to complete a template, see Chapter 21, Installation wizard options, on page 377.
################################################################################ # # InstallShield Options File Template # # Wizard name: Setup # Wizard source: install_ammgr_setup.jar # Created on: Tue Jan 08 14:51:52 CST 2008 # Created by: InstallShield Options File Generator # # This file can be used to create an options file (i.e., response file) for the # wizard "install_ammgr." Options files are used with "-options" on the # command line to modify wizard settings. # # This file was created by the following: # install_ammgr -options-template <file name> # This file was later edited for clarity. # # Response file values can also be recorded during an installation process by: # install_ammgr -options-record <file name> # # The settings that can be specified for the wizard are listed below. To use # this template, follow these steps: # # 1. Enable a setting below by removing leading ### characters from the # line (search for ### to find settings you can change). # # 2. Specify a value for a setting by replacing the characters <value>. # Read each settings documentation for information on how to specify its # value. # # 3. Save the changes to the file. # # 4. To use the options file with the wizard, specify -options <file name> # as a command line argument to the wizard, where <file name> is the name # of this options file. # ################################################################################
609
################################################################################ # # User Input Field - regType (required) # # Enter the registry type. The valid options are: LDAP, Active Directory, or # Domino. # ### -W AMRTE_RegistryTypeUIPanel.regType="<value>" ################################################################################ # # Directory name for GSKIT (Windows only) # # Specify the products installation directory. # ### -W GSKIT_DestinationPanel.productInstallLocation="<value>" ################################################################################ # # Directory name for IBM Tivoli Directory Server client (Windows only) # # Specify the products installation directory. # ### -W LDAPC_DestinationPanel.productInstallLocation="<value>" ################################################################################ # # Directory name for IBM Tivoli Security Utilities (Windows only) # # Specify the products installation directory. # ### -W TIVSECUTL_DestinationPanel.productInstallLocation="<value>" ################################################################################ # # Directory name for Tivoli Access Manager (Windows only) # All Tivoli Access Manager products will be installed to the same location. # # Specify the products installation directory. # ### -W AMRTE_DestinationPanel.productInstallLocation="<value>" ################################################################################ # # User Input Field - useTcd # # Enable Tivoli Common Logging (yes or no) # ### -W AM_TCDPanel.useTcd="no"
610
################################################################################ # # User Input Field - tcdDir (required if useTcd=yes) # # Tivoli Common Directory - Specify the full path to where Tivoli common logging # will occur. # ### -W AM_TCDPanel.tcdDir="<value>" ################################################################################ # # User Input Field - hostName # # Fully qualified host name of the Tivoli policy server # ### -W AMRTE_ServerOptionsUIPanel.hostName="<value>" ################################################################################ # # User Input Field - listeningPort # # Listening port of the Tivoli policy server. Default is 7135. # ### -W AMRTE_ServerOptionsUIPanel.listeningPort="7135" ################################################################################ # # User Input Field - certFile # # Fully qualified path to the local copy of the Tivoli policy servers # certificate file. To have the system automatically download the file, leave # the field empty. The default value is empty. # ### -W AMRTE_ServerOptionsUIPanel.certFile="<value>" ################################################################################ # # User Input Field - localDomain # # Local domain. The default is Default. # ### -W AMRTE_ServerOptionsUIPanel.localDomain="<value>" ################################################################################ # # User Input Field - localHostName # # Fully qualified host name of this machine. If left blank, the wizard will # attempt to determine the host name automatically. #
611
### -W AMRTE_ServerOptionsUIPanel.localHostName="<value>" ################################################################################ # # User Input Field - ldapHost (required for LDAP registry type) # # Host name of IBM Tivoli Directory server (LDAP) # ### -W AMRTE_LDAPOptionsUIPanel.ldapHost="<value>" ################################################################################ # # User Input Field - ldapPort (required for LDAP registry type) # # Non-SSL listening port of IBM Tivoli Directory server (LDAP). The default is 389. # ### -W AMRTE_LDAPOptionsUIPanel.ldapPort="389" ################################################################################ # # User Input Field - enableSSL (used for LDAP registry type) # # Enable SSL communication with the LDAP or Active Directory server - yes or no # ### -W AMRTE_EnableSSLUIPanel.enableSSL="no" ################################################################################ # # User Input Field - multipleDomains (required for Active Directory registry type) # # Use multiple domains for Active Directory configuration: 1=Yes or 0=No # ### -W AMRTE_ADServerInfoUIPanel.multipleDomains="0" ################################################################################ # # User Input Field - hostName (required for Active Directory registry type) # # Active Directory host name # ### -W AMRTE_ADServerInfoUIPanel.hostName="<value>" ################################################################################ # # User Input Field - domainName (required for Active Directory registry type) # # Active Directory domain name #
612
### -W AMRTE_ADServerInfoUIPanel.domainName="<value>" ################################################################################ # # User Input Field - encryptedConnection #(required for Active Directory registry type) # # Enable encrypted connections with the Active Directory server: 1=Yes, 0=No # ### -W AMRTE_ADServerInfoUIPanel.encryptedConnection="0" ################################################################################ # # User Input Field - multipleDomains #(required for Active Directory registry type) # # This field may be the same as what was previously indicated. # # Use multiple domains for Active Directory configuration: 1=Yes or 0=No # ### -W AMRTE_ADServerInfoDifDomUIPanel.multipleDomains="0" ################################################################################ # # User Input Field - hostName (required for Active Directory registry type) # This field may be the same as what was previously indicated. # # Active Directory host name # ### -W AMRTE_ADServerInfoDifDomUIPanel.hostName="<value>" ################################################################################ # # User Input Field - domainName (required for Active Directory registry type) # # Active Directory domain name # ### -W AMRTE_ADServerInfoDifDomUIPanel.domainName="<value>" ################################################################################ # # User Input Field - enableSSL (used for Active Directory registry type) # # Enable SSL connections with the Active Directory server: 1=Yes, 0=No # ### -W AMRTE_ADServerInfoDifDomUIPanel.enableSSL="0" ################################################################################ # # User Input Field - adminId (required for Active Directory registry type) #
613
# Active Directory administrator Id # ### -W AMRTE_ADAdminInfoUIPanel.adminId="<value>" ################################################################################ # # User Input Field - adminPwd (required for Active Directory registry type) # # Active Directory administrator password # ### -W AMRTE_ADAdminInfoUIPanel.adminPwd="<value>" ################################################################################ # # User Input Field - sslKeyfile (required if using SSL) # # Fully qualified local copy of SSL keyfile used to communicate with LDAP # server.) # ### -W AMRTE_SSLOptionsUIPanel.sslKeyfile="<value>" ################################################################################ # # User Input Field - sslKeyfilePassword (required if using SSL) # # Password associated with the LDAP SSL keyfile. # ### -W AMRTE_SSLOptionsUIPanel.sslKeyfilePassword="<value>" ################################################################################ # # User Input Field - sslKeyfileLabel (required if using SSL) # # DN label associated with the LDAP SSL keyfile. # ### -W AMRTE_SSLOptionsUIPanel.sslKeyfileLabel="<value>" ################################################################################ # # User Input Field - sslPort (required if using SSL) # # SSL port of the LDAP server. The default is 636. # ### -W AMRTE_SSLOptionsUIPanel.sslPort="636" ################################################################################ # # User Input Field - enabled (required for Active Directory registry type) #
614
# Enable the use of e-mail address as user ID (true or false) # ### -W AMRTE_ADAltUPN.enabled="false" ################################################################################ # # User Input Field - gcServer (required for Active Directory registry type) # # Global Catalog server host name # ### -W AMRTE_ADAltUPN.gcServer="<value>" ################################################################################ # # User Input Field - gcPort (required for Active Directory registry type) # # Global Catalog server port (cannot be changed) -- SSL: 3269 Non-SSL: 3268 # ### -W AMRTE_ADAltUPN.gcPort="3268" ################################################################################ # # User Input Field - distName (required for Active Directory registry type) # # Access Manager data location: distinguished name # ### -W AMRTE_ADDataInfoUIPanel.distName="<value>" ################################################################################ # # User Input Field - dominoServer (required for Domino registry type) # # Domino server name # ### -W AMRTE_DominoUIPanel.dominoServer="<value>" ################################################################################ # # User Input Field - notesClientPwd (required for Domino registry type) # # Notes client password # ### -W AMRTE_DominoUIPanel.notesClientPwd="<value>" ################################################################################ # # User Input Field - nabDbName (required for Domino registry type) # # Notes address book database name
615
# ### -W AMRTE_DominoUIPanel.nabDbName="<value>" ################################################################################ # # User Input Field - amDbName (required for Domino registry type) # # Access Manager database name # ### -W AMRTE_DominoUIPanel.amDbName="<value>" ################################################################################ # # Directory name for Tivoli Access Manager Policy Server (Windows only) # Use the same value as Tivoli Access Manager (above). # # Specify the products installation directory. # ### -W AMMGR_DestinationPanel.productInstallLocation="<value>" ################################################################################ # # User Input Field - secmasterPwd # # Tivoli Access Manager administrator password # ### -W AMMGR_ConfigOptions.secmasterPwd="<value>" ################################################################################ # # User Input Field - secmasterPwdConfirm # # Password confirmation (re-enter the password from secmasterPwd) # ### -W AMMGR_ConfigOptions.secmasterPwdConfirm="<value>" ################################################################################ # # User Input Field - secmasterPort # # Policy server SSL port (default is 7135) # ### -W AMMGR_ConfigOptions.secmasterPort="7135" ################################################################################ # # User Input Field - SSLcertlife # # SSL certificate lifecycle (number of days). Default is 1460. #
616
### -W AMMGR_ConfigOptions.SSLcertlife="1460" ################################################################################ # # User Input Field - SSLtimeout # # SSL connection timeout (number of seconds). Default is 7200. # ### -W AMMGR_ConfigOptions.SSLtimeout="7200" ################################################################################ # # User Input Field - ldapadminid (required for LDAP registry type) # # LDAP administrator DN # ### -W AMMGR_LdapOptions.ldapadminid="<value>" ################################################################################ # # User Input Field - ldapadminpwd (required for LDAP registry type) # # LDAP administrator password # ### -W AMMGR_LdapOptions.ldapadminpwd="<value>" ################################################################################ # # User Input Field - ldapauthority (required for LDAP registry type) # # Management domain name. Default value is Default. # ### -W AMMGR_LdapOptions.ldapauthority="Default" ################################################################################ # # User Input Field - ldapauthsuffix (required for LDAP registry type) # # LDAP management domain location DN. Default value is empty. # ### -W AMMGR_LdapOptions.ldapauthsuffix="" ################################################################################ # # User Input Field - ldapdataformat (required for LDAP registry type) # # Indicates to use minimal data format or not. Minimal=6, Standard=0 # Default is Minimal (6). #
617
### -W AMMGR_LdapDataFormat.ldapdataformat="6" ################################################################################ # # User Input Field - enableSSL (required for LDAP registry type) # # Enable SSL communication with the LDAP server - yes or no # ### -W AMMGR_EnableSSLUIPanel.enableSSL="no" ################################################################################ # # User Input Field - sslKeyfile (required if enableSSL=yes) # # Fully qualified local copy of SSL keyfile used to communicate with LDAP # server. # ### -W AMMGR_SSLOptionsUIPanel.sslKeyfile="<value>" ################################################################################ # # User Input Field - sslKeyfilePassword (required if enableSSL=yes) # # Password associated with the LDAP SSL keyfile. # ### -W AMMGR_SSLOptionsUIPanel.sslKeyfilePassword="<value>" ################################################################################ # # User Input Field - sslKeyfileLabel (required if enableSSL=yes) # # DN label associated with the LDAP SSL keyfile. # ### -W AMMGR_SSLOptionsUIPanel.sslKeyfileLabel="<value>" ################################################################################ # # User Input Field - sslPort (required if enableSSL=yes) # # SSL port of the LDAP server. The default is 636. # ### -W AMMGR_SSLOptionsUIPanel.sslPort="636" ################################################################################ # # User Input Field - enableFIPS # # Indicates if FIPS will be enabled or not. 1=yes, 0=no
618
### -W AMMGR_EnableFIPS.enableFIPS="0" ################################################################################ # # User Input Field - adminId (required for Active Directory registry type) # # Active Directory administrator Id # ### -W AD_UpdatePanel.adminId="<value>" ################################################################################ # # User Input Field - adminPwd (required for Active Directory registry type) # # Active Directory administrator password # ### -W AD_UpdatePanel.adminPwd="<value>"
619
620
Chapter 28. Using software package definition files

The Software Distribution component of IBM Tivoli Configuration Manager enables you to create a software package in software package definition (SPD) file format by using the Software Package Editor graphical user interface (GUI). You can edit the SPD file to change the characteristics of the software package. You can do this manually by using a text editor or by exporting an existing software package and modifying it. An SPD file is a text file in ASCII format. This file consists of a signature and a sequence of stanzas, each of which describes objects (such as files, directories, and registry keys). This file also consists of actions to be performed on these objects. Regardless of the method used to create a software package, the output can be saved in any of the following formats: v Software package file (.sp) v Software package definition file (.spd) v Software package block (.spb) Tivoli Access Manager provides these software package definition files (SPD): v amacld.spd.template v amadk.spd.template v amjrte.spd.template v ammgr.spd.template v amproxy.spd.template v v v v v v v v amrte.spd.template amsms.spd.template amsmscli.spd.template amweb.spd.template amwebadk.spd.template amwebars.spd.template amwpi.spd.template amwpm.spd.template
See Software Distribution installation method on page 26 for instructions to install using software package definition files. The following contents are from the Tivoli Access Manager amacld.spd.template SPD file:
# 21 41 1.21 src/cdrom/spd/create_spd.sh, pd.instcfg.spd, am610, 071022a 5/25/07 11:11:58 # Licensed Materials - Property of IBM # 5724-C08 # (c) Copyright International Business Machines Corp. 1999, 2007 # All Rights Reserved # US Government Users Restricted Rights - Use, duplication or # disclosure restricted by GSA ADP Schedule Contract with IBM Corp. "TIVOLI Software Package v4.2 - SPDF"
621
package name = install_amacld_windows version = 61 web_view_mode = hidden undoable = o committable = o history_reset = n save_default_variables = n creation_time = "2007-11-05 16:18:22" last_modification_time = "2007-11-05 16:18:22" default_variables ### Drive letter of location of options file (leave blank if not Windows) options_drive = "" ### location of options file options_filename = /install/config/windows/install_amacld.options ### Drive letter if source server is Windows (leave blank if not Windows) install_srcdrive = "" ### location of install images install_srcdir = /install/tam610.windows end # source_host_name = your.source.host # log_host_name = your.log.host log_path = c:/progra~1/tivoli/swdis/1/work/install_amacld_windows.log move_removing_host = y no_check_source_host = y lenient_distribution = n default_operation = install server_mode = all operation_mode = not_transactional post_notice = n before_as_uid = 0 skip_non_zero = n after_as_uid = 0 no_chk_on_rm = y versioning_type = swd package_type = refresh stop_on_failure = y execute_user_program caption = "IBM Tivoli Access Manager Authorization Server 6.1 for WINDOWS" transactional = n during_install path = $(temp_dir)/$(install_srcdir)/install_amacld.exe arguments = "-W EZ_RebootPanel.exitWithoutReboot=true -options $(temp_dir)/$(options_filename) -silent" inhibit_parsing = n working_dir = $(temp_dir)/$(install_srcdir) timeout = -1 unix_user_id = 0 unix_group_id = 0 user_input_required = n output_file_append = n error_file_append = n reporting_stdout_on_server = n reporting_stderr_on_server = n max_stdout_size = 10000 max_stderr_size = 10000 bootable = n retry = 1
622
exit_codes success = 0,0 failure = 1,1002 success_reboot_now = 1003,1003 failure = 1004,65535 end corequisite_files add_file replace_if_existing = y replace_if_newer = n remove_if_modified = n name = $(options_drive)$(options_filename) translate = n destination = $(temp_dir)/$(options_filename) compression_method = stored rename_if_locked = n end add_directory replace_if_existing = y replace_if_newer = n remove_if_modified = n name = $(install_srcdrive)$(install_srcdir) destination = $(temp_dir)/$(install_srcdir) descend_dirs = n compression_method = stored rename_if_locked = n add_directory stop_on_failure = y replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "common" destination = "common" descend_dirs = y compression_method = stored rename_if_locked = n end # common add_directory stop_on_failure = y replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "EIC" destination = "EIC" descend_dirs = y compression_method = stored rename_if_locked = n end # EIC add_directory stop_on_failure = y replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "license" destination = "license" descend_dirs = y compression_method = stored rename_if_locked = n end # license
623
add_directory stop_on_failure = y replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "lib" destination = "lib" descend_dirs = y compression_method = stored rename_if_locked = n end # lib add_file replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "install_amacld.exe" translate = n destination = "install_amacld.exe" compression_method = stored rename_if_locked = n end add_file replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "install_amacld_setup.jar" translate = n destination = "install_amacld_setup.jar" compression_method = stored rename_if_locked = n end add_directory stop_on_failure = y replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "windows" destination = "windows" descend_dirs = n compression_method = stored rename_if_locked = n add_directory stop_on_failure = y replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "GSKit" destination = "GSKit" descend_dirs = y compression_method = stored rename_if_locked = n end # GSKit add_directory stop_on_failure = y replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "tds" destination = "tds" descend_dirs = y compression_method = stored
624
end
rename_if_locked = n # tds
add_directory stop_on_failure = y replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "migrate" destination = "migrate" descend_dirs = y compression_method = stored rename_if_locked = n end # migrate add_directory stop_on_failure = y replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "bin" destination = "bin" descend_dirs = y compression_method = stored rename_if_locked = n end # bin add_directory stop_on_failure = y replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "TivSecUtl" destination = "TivSecUtl" descend_dirs = y compression_method = stored rename_if_locked = n end # TivSecUtl add_directory stop_on_failure = y replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "PolicyDirector" destination = "PolicyDirector" descend_dirs = n compression_method = stored rename_if_locked = n add_directory stop_on_failure = y replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "Disk Images" destination = "Disk Images" descend_dirs = n compression_method = stored rename_if_locked = n add_directory stop_on_failure = y replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "Disk1"
625
destination = "Disk1" descend_dirs = n compression_method = stored rename_if_locked = n add_directory stop_on_failure = y replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "PDLIC" destination = "PDLIC" descend_dirs = y compression_method = stored rename_if_locked = n end # PDLIC add_directory stop_on_failure = y replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "PDMGR" destination = "PDMGR" descend_dirs = y compression_method = stored rename_if_locked = n end # PDMGR add_directory stop_on_failure = y replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "PDAcld" destination = "PDAcld" descend_dirs = y compression_method = stored rename_if_locked = n end # PDAcld end # Disk1 end # Disk Images end # PolicyDirector end # windows # # # # # # # # # # add_file replace_if_existing = y replace_if_newer = n remove_if_modified = n name = "/my/path/to/pdcacert.b64" translate = n destination = "/var/PolicyDirector/keytab/pdcacert.b64" compression_method = stored rename_if_locked = n end end # $(temp_dir)/$(install_srcdir) end # corequisite_files end # during_install end # execute_user_program execute_user_program caption = "IBM Tivoli Access Manager Authorization Server 6.1 for WINDOWS (reboot: 1)" transactional = n during_install
626
path = $(temp_dir)/$(install_srcdir)/install_amacld.exe arguments = "-W EZ_RebootPanel.exitWithoutReboot=true -options $(temp_dir)/$(options_filename) -silent" inhibit_parsing = n working_dir = $(temp_dir)/$(install_srcdir) timeout = -1 unix_user_id = 0 unix_group_id = 0 user_input_required = n output_file_append = n error_file_append = n reporting_stdout_on_server = n reporting_stderr_on_server = n max_stdout_size = 10000 max_stderr_size = 10000 bootable = n retry = 1 exit_codes success = 0,0 failure = 1,1002 success_reboot_now = 1003,1003 failure = 1004,65535 end end # during_install end # execute_user_program end # package
627
628
Chapter 29. Tivoli Access Manager registry adapter for WebSphere federated repositories
The Tivoli Access Manager registry adapter for WebSphere federated repositories uses the Tivoli Access Manager Registry Direct Java API to perform registry-related operations. The adapter: v Is a virtual member manager (VMM) adapter. For detailed information about VMM, see the Virtual member manager documentation in the IBM WebSphere Application Server information center at http://publib.boulder.ibm.com/ infocenter/wasinfo/v7r0/index.jsp. v Supports a single Tivoli Access Manager domain. However, the Tivoli Access Manager supports multiple secure domains support when configured with the LDAP registry. v Supports the Tivoli Access Manager registries supported by the Registry Direct Java API.
Tivoli Access Manager registry adapter installation

The Tivoli Access Manager registry adapter is included with the Tivoli Access Manager installation program. The adapter package is named com.tivoli.pd.vmm.tam.adapter and the JAR file is named VMMTamAdapter.jar. When you install the Tivoli Access Manager Java RTE, the adapter is automatically installed along with the Java Runtime files. The adapter JAR file is located is in the <Tivoli Access Manager installation directory>/java/export/vmm_tam_adapter directory.
Configuring the Tivoli Access Manager registry adapter

Configuring the Tivoli Access Manager registry adapter consists of two steps: 1. Configuring the Tivoli Access Manager adapter. 2. Configuring the adapter as a WebSphere custom registry.
Configuring a Tivoli Access Manager adapter

Configure this adapter when you want to perform Tivoli Access Manager registry operations. This adapter uses the Tivoli Access Manager Registry Direct Java API to perform administration commands such as creating users and groups. This adapter is provided as part of the Tivoli Access Manager installation. To configure the adapter, complete the following steps: 1. Ensure that you have installed and configured the Tivoli Access Manager using the Tivoli Directory Server as a user registry. 2. Ensure that you have installed the Tivoli Access Manager 6.1.1 Java run time component. 3. Copy the com.tivoli.pd.rgy.jar file from TAM_installation_directory/java/ export/rgy to WebSphere_installation_directory/lib. 4. Create a Tivoli Access Manager user identity that runs the Java API, for example:
629
pdadmin -a sec_master -p sec_master_password pdadmin sec_master> user create -no-password-policy user_name cn=user_name,registry_suffix user_name user_name password ( SecurityGroup ivacld-servers remote-acl-users ) pdadmin sec_master> user modify user_name account-valid yes
In the example, user_name is your choice of name for the user. A good naming scheme would be: tamVMMAdapter-machine_name. The value registry_suffix is the suffix of the registry where this user must be stored, for example, o=ibm,c=us. 5. Go to the computer where the Tivoli Access Manager adapter is to be configured. 6. Change directory to <WebSphere Application Server installation directory>/lib. 7. Run the com.tivoli.pd.rgy.until.RgyConfigtool. Note: You must use the IBM Java runtime environment to run this tool, for example: Using the com.tivoli.pd.rgy.util.RgyConfig utility: <WebSphere Application Server installation directory>/java/jre/bin/java Syntax:
java com.tivoli.pd.rgy.util.RgyConfig properties_file_destination create Default Default "ldaphostname:389:readwrite:5" "DN" DN_password
properties_file_destination Specifies the full path to an existing directory and the name of a file that is created when this command is run. Place the file in a directory appropriate for your WebSphere deployment: v For a non-clustered WebSphere server: <WebSphere Application Server installation directory>//profiles/<server name>/config/vm_tam_adapter v For a WebSphere cluster (replicated) environment, create the file on the DMgr: <WebSphere Application Server installation directory>/profiles/<DMgr server name>/config/ vm_tam_adapter ldaphostname The host name of the LDAP server to which Tivoli Access Manager is configured. The host name is specified in the Tivoli Access Manager runtime configuration file:
<Tivoli Access Manager installation directory>/etc/ldap.conf
389 "DN"
The default LDAP port. Modify as needed for your deployment. The Distinguished Name (DN) specified in the pdadmin user creation command. Ensure that the value is surrounded by double quotation marks.
DN_password The password for the DN. Example command:

java com.tivoli.pd.rgy.util.RgyConfig WebSphere_application/profiles/<server>/config /vmm_tam_adapter/tamVMMAdapter.properties create Default Default "myldapsystem:389:readwrite:5" "cn=tamVMMAdapter-myhost,o=ibm,c=us" mypasswordmypassword
630
8. After running the com.tivoli.pd.rgy.until.RgyConfig, update the configuration as needed for your WebSphere deployment: v For a non-clustered WebSphere server, restart the WebSphere Application Server. v For a WebSphere cluster (replicated) environment, perform a full WebSphere resynchronization and restart the WebSphere Application Server.
Configuring the adapter as a WebSphere custom registry

To accomplish integration with WebSphere, configure the Tivoli Access Manager adapter as a WebSphere custom registry. After configuring the Tivoli Access Manager adapter with the Tivoli Access Manager runtime environment, you must configure the Virtual Member Manager (VMM) Tivoli Access Manager Adapter into WebSphere as a custom registry. Note: For information about configuring WebSphere Federated Repository custom registries, see the WebSphere documentation. For WebSphere Network Deployment 6.1, see the IBM WebSphere Application Server information center. 1. Stop the WebSphere Application Sever. 2. Change directory to <WebSphere installation directory>/profiles/<profile name>/config/cells/<cell name>/wim/config 3. Use a text editor to open wimconfig.xml. Note: Create a copy of wimconfig.xml before you modifying the file. 4. Add a config:repositories element to the file. 5. Place the config:repositories element before the config:realmConfiguration element. This entry specifies the class name of the adapter, and sets an identifier for the repository. For example, to specify a class name of com.tivoli.pd.vmm.adapter.tam.TAMRegistryAdapter and to set the TAMRegistryAdapter repository as the identifier, use the following:
<config:repositories adapterClassName="com.tivoli.pd.vmm.adapter.tam.TAMRegistryAdapter" id="TAMRegistryAdapter"/>
6. Save the wimconfig.xml file and close the text editor. 7. Copy the TAM_installation_directory/java/export/vmm_tam_adapter/ VMMTamAdapter.jar file to the WebSphere_install_directory/lib folder. 8. Start wsadmin in the no-connection mode:
wsadmin -conntype none
9. Disable paging in the common repository configuration. by setting the supportPaging parameter for the updateIdMgrRepository command to false.
$AdminTask updateIdMgrRepository {-id TAMRegistryAdapter -supportPaging false }
Note: A warning is shown until the configuration of the sample repository is finished. 10. Add a custom property for the TAMRegistryAdapter.
$AdminTask setIdMgrCustomProperty {-id TAMRegistryAdapter -name tamConfFile -value "properties_file_destination"}
631
properties_file_destination The properties file that was created as the result of running com.tivoli.pd.rgy.util.RgyConfig in the prerequisite task. This value can either be a fully qualified file path or a relative file path to the WebSphere configuration repository. For example, if the physical file path is C:/Program files/IBM/Websphere/AppServer/profiles/AppSrv01/config/ tamvmm/tam.conf.properties. The C:/Program files/IBM/Websphere/ AppServer/profiles/AppSrv01/config is the WebSphere Application Server configuration repository. So the value of the relative path to be used is tamvmm/tam.conf.properties. In a WebSphere cluster environment, use the relative path. 11. Add a base entry to the adapter configuration using the addIdMgrRepositoryBaseEntry command to specify the name of the base entry for the specified repository:
$AdminTask addIdMgrRepositoryBaseEntry {-id TAMRegistryAdapter -name base_entry_name }
base_entry_name This name must match the suffix used by the Tivoli Access Manager user registry. 12. Use the addIdMgrRealmBaseEntry command to add the base entry to the realm. This action links the realm with the repository.
$AdminTask addIdMgrRealmBaseEntry {-name defaultWIMFileBasedRealm -baseEntry base_entry_name }
base_entry_name This name must match the value specified in the previous step. defaultWIMFileBasedRealm The default realm name is defaultWIMFileBasedRealm. If this realm name was renamed, use the new realm name instead of defaultWIMFileBasedRealm. 13. Save your configuration changes. Enter the following commands to save the new configuration and close the wsadmin tool:
$AdminConfig save exit
14. Restart the WebSphere Application Server.
Troubleshooting WebSphere login failure

If you cannot log on to WebSphere after configuring the adapter, review these troubleshooting tips. If a registry is not accessible, WebSphere prevents you from logging on. This limitation occurs even if the WebSphere administration account is located in a different registry. Misconfiguration or unavailability of a required registry can result in WebSphere preventing you from logging in as the administrator. If you encounter this problem after configuring the Tivoli Access Manager adapter, perform the following steps: 1. Ensure that the Tivoli Access Manager registry is available. Since Tivoli Access Manager Registry adapter does not maintain an authentication cache, you see a "cannot log in" error immediately when the registry is unavailable.
632
a. Use pdadmin to connect to the registry and perform a test user creation to confirm. b. Restart the registry and correct any connection issues if necessary. c. If the problem persists, continue to the next step. 2. Open the wimconfig.xml file and verify the settings in the new code that you created.
<config:repositories adapterClassName="com.tivoli.pd.vmm .adapter.tam.TAMRegistryAdapter" id="TAMRegistryAdapter" supportPaging="false"> <config:baseEntries name="o=ibm,c=us"/> <config:CustomProperties name="tamConfFile" value="/opt/IBM/WebSphere/AppServer/profiles/ dmgr/config/itfim/tamVMMAdapter.properties"/> </config:repositories>
v Confirm that the location or name of the properties file is correct. v Confirm that the suffix is correct for the Tivoli Access Manager registry. Note: If you modify the configuration file, you must restart WebSphere. WebSphere requires you to log in as the administrator to stop WebSphere. However, if you cannot log in you must stop the WebSphere process. You can then restart WebSphere without a login. 3. If in the previous step, you did not identify any problems with the configuration file, revert to the backup copy of wimconfig.xml. a. Make a backup of your new wimconfig.xml file. 4. Restore the backup of the original wimconfig.xml file. 5. Restart WebSphere. If you can log in after restoring the backed up file, there is a problem with the Tivoli Access Manager adapter configuration. Review the configuration and correct any errors.
Tivoli Access Manager registry adapter limitations

The limitations of the adapter are that it: v Does not support VMM schema extension. v Only supports single base entry, and not multiple based entries. v Only supports user registry operations, and not group registry operations. Group operations support is limited to group membership management.
633
634
Appendix A. Installing IBM Tivoli Directory Integrator

IBM Tivoli Directory Integrator version 6.1.1 is included on the IBM Tivoli Directory Integrator CD for the desired operating system. For IBM Tivoli Directory Integrator installation instructions, see the installation information provided with the IBM Tivoli Directory Integrator CD.
635
636
Appendix B. User registry differences

Each user registry presents unique concerns when integrated with Tivoli Access Manager. This release of Tivoli Access Manager supports LDAP and URAF user registries. Tivoli Access Manager supports the following LDAP user registries: v Tivoli Directory Server v IBM z/OS Security Server LDAP Server v Novell eDirectory Server v Sun Java System Directory Server v Sun ONE Directory Server v Microsoft Active Directory Application Mode (ADAM) Tivoli Access Manager supports the following URAF user registries: v Microsoft Active Directory Server v Lotus Domino Server
General concerns
The following concerns are specific to all of the supported user registries: v Avoid using the forward slash (/) character when defining the names for users and groups when that name is defined using distinguished names strings. Each user registry treats this character differently. v Avoid using leading and trailing blanks in user and group names. Each user registry treats blanks differently.
LDAP concerns
The following concerns are specific to all of the supported LDAP user registries: v There are no configuration steps needed in Tivoli Access Manager to make it support LDAP's own Password Policy. Tivoli Access Manager does not assume the existence or non-existence of LDAP's own Password Policy at all. Tivoli Access Manager enforces its own Password Policy first and foremost. Tivoli Access Manager will attempt to update password in LDAP only when the provided password passes Tivoli Access Manager's own Password Policy check. After that Tivoli Access Manager tries to accommodate LDAP's own Password Policy to the best of its ability using the return code that its get from LDAP during a password related update. If Tivoli Access Manager can map this return code without any ambiguity with the corresponding Tivoli Access Manager error code, it will do so and will return a proper error message. v To take advantage of the multi-domain support in Tivoli Access Manager, you must use an LDAP user registry. When using a URAF user registry, only a single Tivoli Access Manager domain is supported. v When using an LDAP user registry, the capability to own global sign-on credentials must be explicitly granted to a user. After this capability is granted, it
637
can subsequently be removed. Conversely, users that are created in a URAF user registry are automatically given this capability. This capability cannot be removed. v Leading and trailing blanks in user names and group names are ignored when using an LDAP user registry in a Tivoli Access Manager secure domain. To ensure consistent processing regardless of the user registry, define user names and group names without leading or trailing blanks. v Attempting to add a single duplicate user to a group does not produce an error when using an LDAP user registry. v The Tivoli Access Manager authorization API provides a credentials attribute entitlements service. This service is used to retrieve user attributes from a user registry. When this service is used with an LDAP user registry, the retrieved attributes can be string data or binary data. However, when used with a URAF user registry, the retrieved attributes can be string data, binary data, or integer data.
Sun Java System Directory Server concerns

The following concerns are specific to Sun Java System Directory Server: v If the user registry contains more entries than the defined look-through limit, the directory server might return the following status that Tivoli Access Manager treats as an error:
LDAP_ADMINLIMIT_EXCEEDED
When the directory server is installed, the default value is 5000. To modify this value, perform the following steps from the Sun Java System Directory Server Console: 1. Select the Configuration tab. 2. Expand the Data entry. 3. Select Database Settings. 4. Select the LDBM Plug-in Settings tab. 5. In the Look-through Limit field, type the maximum number of entries that you want the server to check in response to the search, or type -1 to define no maximum limit. If you bind the directory as the Directory Manager, the look-through limit is unlimited and overrides any settings specified in this field.
Microsoft Active Directory Application Mode (ADAM) concerns

The following concerns are specific to ADAM. v Policy Server configuration allows you to select between a standard or minimal data model for the user registry. Because ADAM allows only a single naming attribute to be used when creating LDAP objects, ADAM requires the minimal data model. Regardless of which data model is chosen during Policy Server configuration, Access Manager will always use the minimal data model when ADAM is selected as the user registry. v The common name (cn) attribute is a single-value attribute and can store only one value. The ADAM registry requires the value of cn to be the same as the cn naming attribute in the distinguished name (dn) attribute. When creating a user or group in Tivoli Access Manager, specify the same value for cn as the cn naming attribute in the dn. Tivoli Access Manager ignores the value of the cn attribute if it is different from the value of the cn naming attribute in the dn. For
638
example, you cannot use the following command to create a user because the value of the cn attribute, fred, is different from the cn naming attribute in the dn, user1:
pdadmin user create user1 cn=user1,o=ibm,c=us fred smith password1
URAF concerns
The following concerns are specific to all of the supported URAF user registries: v When using a URAF user registry, only a single Tivoli Access Manager domain is supported. To take advantage of the Tivoli Access Manager multi-domain support, use an LDAP user registry. v Users created in a URAF user registry are automatically given the capability to own global sign-on credentials. This capability cannot be removed. When using an LDAP user registry, this capability must be explicitly granted. After this capability is granted, it can subsequently be removed. v The Tivoli Access Manager authorization API provides a credentials attribute entitlements service. This service is used to retrieve user attributes from a user registry. When this service is used with a URAF user registry, the retrieved attributes can be string data, binary data, or integer data. However, when used with an LDAP user registry, the retrieved attributes can be only string data or binary data.
Lotus Domino Server concerns

In addition to the general URAF-specific concerns, the following concerns are specific to Lotus Domino Server: v Leading and trailing blanks in user names and group names are significant when using Lotus Domino Server as the user registry in a Tivoli Access Manager secure domain. To ensure consistent processing, regardless of the user registry, define user names and group names without leading or trailing blanks. v When creating names for users or groups and that name is defined with a distinguished name string that contains a forward slash (/) character, you must define that name using distinguished name designations. For example, to create a user with the distinguished name string username/locinfo, use the following command:
pdadmin user create myuser cn=username/o=locinfo test test testpwd
Microsoft Active Directory Server concerns

In addition to the general URAF-specific concerns, the following concerns are specific to Microsoft Active Directory Server: v Users created in Active Directory may have an associated primary group. The Active Directory default primary group is Domain Users. But Active Directory does not add the primary group information to the user's memberOf or the group's member attribute. This means that when Tivoli Access Manager queries for a list of members of a group, the result does not include any members for whom the group is the primary group. Additionally, when Tivoli Access Manager queries for all the groups to which a user belongs, the query result does not display the primary group of the user. For this reason, avoid using a Tivoli Access Manager group as the Active Directory primary group for Tivoli Access Manager users. v Tivoli Access Manager does not support cross domain group membership or universal groups. Tivoli Access Manager does not support importing these types of groups.
639
v When Tivoli Access Manager imports a dynamic group, the ivacld-servers and remote-acl-users groups apply read permission on each authorization store to which the dynamic group belongs. This read permission enables Tivoli Access Manager blade servers, such as WebSEAL, to have read permission to the registry authorization store; thus, providing the blade server with the ability to read dynamic group data, such as group membership for building Tivoli Access Manager credentials. Manually removing this read permission while Tivoli Access Manager is configured to the Active Directory registry results in adverse behavior, such as inaccurate group membership. v If the option to change a user's password using LDAP APIs is enabled in an environment where: Tivoli Access Manager is configured to use the Active Directory user registry and Tivoli Access Manager blade servers use LDAP APIs to communicate with the Active Directory server, Tivoli Access Manager must be configured with Secure Socket Layer (SSL) to allow connections between the LDAP client and the Active Directory server. The Active Directory environment must also be enabled to accept LDAP connections over Secure Socket Layer (SSL). v When using an Active Directory user registry in a Tivoli Access Manager configuration with blade servers that use LDAP APIs to communicate with the Active Directory server, Access Manager supports user password change requests using either the Policy Server or LDAP APIs. Change user password requests using the LDAP APIs do not require the Policy Server to be up-and-running. The use of LDAP APIs to communicate with the Active Directory Server for blade servers is a multi-platform support that allows blade servers to be installed on machines that are not clients of the same domain as the policy server. In this configuration, the policy server must be installed and configured on a Windows operating system. v When using an Active Directory user registry, each user name and each group name in a domain must be unique. User and group short name values that are stored in the sAMAccountName attribute of Active Directory user objects and group objects. Active Directory user objects and group objects both have the sAMAccountName attribute as one of their attributes. Microsoft requires that the sAMAccountName attributes be unique within an Active Directory domain. v When using a multi-domain Active Directory user registry, multiple users and groups can be defined with the same short name as long as they are located in different domains. However, the full name of the user or group, including the domain suffix, must always be specified to Tivoli Access Manager. v Leading and trailing blanks in user names and group names are ignored when using Microsoft Active Directory Server as the user registry in a Tivoli Access Manager secure domain. To ensure consistent processing, regardless of the user registry, define user names and group names without leading or trailing blanks. v Tivoli Access Manager supports the use of an email address or other alternate format of the userPrincipalName attribute of the Active Directory registry user object as a Tivoli Access Manager user identity. This is an optional enhancement;
640
when it is enabled, both the default and the email address or other alternate format of the userPrincipalName can co-exist in the Tivoli Access Manager environment. The default format of the userPrincipalName registry attribute is user_id@domain_suffix, where domain_suffix is the Active Directory domain where the user identity is created. For example, johndoe@tivoli.com is the value of the userPrincipalName; tivoli.com is the Active Directory domain where the user identity is created. The Tivoli Access Manager user identity corresponding to the registry user in this example is either johndoe@tivoli.com or johndoe, depending on whether Tivoli Access Manager is configured to use Active Directory with multiple domains or a single domain, respectively. The alternate format of the userPrincipalName attribute is user_id@any_suffix, where any_suffix can be any domain (Active Directory or non-Active Directory) other than the Active Directory domain in which the user identity is created. For example, if the registry user johndoe@other_domain.com is created in Active Directory tivoli.com, and the registry user johndoe@tivoli.com is created in Active Directory domain child_domain.tivoli.com. Both of these users can be Tivoli Access Manager users, and their user identities are johndoe@other_domain.com and johndoe@tivoli.com, respectively. The alternate user principal name (UPN) support must be enabled in all Tivoli Access Manager run-time environments to ensure that Tivoli Access Manager user identities work properly with alternate UPNs. Once the use of alternate UPN format as Access Manager user identity is enabled, it cannot be reversed without breaking Tivoli Access Manager functionalities. v Although users and groups can be created with names that use a distinguished name string that contain a forward slash (/) character, subsequent operations on the object might fail. Some Active Directory functions interpret the forward slash character as a separator between the object name and the host name. To avoid the problem, do not use a forward slash character to define the user.
Length of names
The maximum lengths of various names that are associated with Tivoli Access Manager vary depending on the user registry that is being used. See Table 60 for a comparison of the maximum lengths that are allowed and the recommended maximum length to use to ensure compatibility with all the user registries that are supported by Tivoli Access Manager.
Table 60. Maximum lengths for names by user registry and the optimal length across user registries
Name IBM Tivoli Directory Server IBM z/OS Security Server Novell eDirectory Server Sun Java System Directory Server 256 128 128 1024 Microsoft Active Directory Server 64 64 64 2048 Lotus Domino Server Active Directory Application Mode (ADAM) 64 64 64 1024 Optimal length
First name (LDAP CN) Middle name Last name (surname) Registry UID (LDAP DN)
256 128 128 1024
256 128 128 1024
64 128 128 1024
960 65535 960 255
64 64 64 255
641
Table 60. Maximum lengths for names by user registry and the optimal length across user registries (continued)
Name IBM Tivoli Directory Server IBM z/OS Security Server Novell eDirectory Server Sun Java System Directory Server 256 Microsoft Active Directory Server 64 Lotus Domino Server Active Directory Application Mode (ADAM) 64 Optimal length
Tivoli Access Manager user identity User password User description Group name
256
256
256
196 domain_ name_length unlimited
64
unlimited
unlimited
unlimited 1024
unlimited
256
128 1024
256 1024 64
256
256
256
256
64
196 domain_ name_length
64
Group description Single sign-on resource name Single sign-on resource description Single sign-on user ID Single sign-on password Single sign-on group name Single sign-on group description Action name Action description, action type Object name, object description Object space name, object space description ACL name, ACL descriptions POP name, POP description 240 240 240 240 240 240
1024 240 60 256
1024 240
1024 60
1024
1024
1024
240
60
256
240
60
unlimited
unlimited
unlimited
unlimited
256
unlimited
unlimited
256
240
240
240
240
60
256
240
60
1024
1024
1024
1 unlimited
1 unlimited
1 unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
642
Although the maximum length of an Active Directory distinguished name (registry UID) is 2048, the maximum length of each relative distinguished name (RDN) is 64. If you configure Tivoli Access Manager to use multiple Active Directory domains, the maximum length of the user identity and group name does not include the domain suffix. When using multiple domains, the format of a user identity is user_id@domain_suffix. The maximum length of 64 applies only to the user_id portion. If you use an email address or other alternate format for the Tivoli Access Manager user identity in the Active Directory, the maximum name length remains the same, but includes the suffix. Although the lengths of some names can be of unlimited, excessive lengths can result in policy that is difficult to manage and might result in poor system performance. Choose maximum values that are logical for your environment.
643
644
Appendix C. Support information

This section describes the following options for obtaining support for IBM products: v Searching knowledge bases v Obtaining fixes v Registering with IBM Software Support on page 646 v Receiving weekly software updates on page 646 v Contacting IBM Software Support on page 647
Searching knowledge bases

If you encounter a problem, you want it resolved quickly. You can search the available knowledge bases to determine whether the resolution to your problem was already encountered and is already documented.
Searching information centers

IBM provides extensive documentation in an information center that can be installed on your local computer or on an intranet server. You can use the search function of this information center to query conceptual information, instructions for completing tasks, reference information, and support documents.
Searching the Internet

If you cannot find an answer to your question in the information center, search the Internet for the latest, most complete information that might help you resolve your problem. To search multiple Internet resources for your product, perform the following steps: 1. 2. 3. 4. Expand the product folder in the navigation frame on the left. Expand Troubleshooting and support. Expand Searching knowledge bases. Click Web search.
From this topic, you can search a variety of resources, which includes the following resources: v IBM Technotes v v v v v IBM downloads IBM Redbooks IBM developerWorks Forums and news groups Google
Obtaining fixes
A product fix might be available to resolve your problem. To determine what fixes are available for your IBM software product, check the product support site by performing the following steps: 1. Go to the IBM Software Support site at the following Web address:
645
http://www.ibm.com/software/support 2. Under Products A - Z, click the letter with which your product starts to open a Software Product List. 3. Click your product name to open the product-specific support page. 4. Under Self help, follow the link to All Updates, where you will find a list of fixes, fix packs, and other service updates for your product. For tips on refining your search, click Search tips. 5. Click the name of a fix to read the description. 6. Optional, download the fix.
Registering with IBM Software Support

Before you can receive weekly e-mail updates about fixes and other news about IBM products, you need to register with IBM Software Support. To register with IBM Software Support, follow these steps: 1. Go to the IBM Software Support site at the following Web address: http://www.ibm.com/software/support 2. Click Register in the upper right-hand corner of the support page to establish your user ID and password. 3. Complete the form, and click Submit.
Receiving weekly software updates

After registering with IBM Software Support, you can receive weekly e-mail updates about fixes and other news about IBM products. To receive weekly notifications, follow these steps: 1. Go to the IBM Software Support site at the following Web address http://www.ibm.com/software/support 2. Click the My support link to open the Sign in page. 3. Provide your sign in information, and click Submit to open your support page. 4. Click the Edit profile tab. 5. For each product about which you want to receive updates, use the filters to choose your exact interests, and click Add products. 6. Repeat step 5 for each additional product. 7. After choosing all your products, click the Subscribe to email link. 8. For each product category, use the filters and choose which updates you want to receive, and click Update. 9. Repeat step 8 for each additional product category. For more information about the types of fixes that are available, see the IBM Software Support Handbook at the following Web address: http://techsupport.services.ibm.com/guides/handbook.html
646
Contacting IBM Software Support

IBM Software Support provides assistance with product defects. Before contacting IBM Software Support, the following criteria must be met: v Your company has an active IBM software maintenance contract. v You are authorized to submit problems to IBM Software Support. The type of software maintenance contract that you need depends on the type of product that you have. Product types are one of the following categories: v For IBM distributed software products (including, but not limited to, Tivoli, Lotus, and Rational products, as well as DB2 and WebSphere products that run on Windows, Linux, or UNIX operating systems), enroll in Passport Advantage in one of the following ways: Online Go to the IBM Software Passport Advantage site at the following Web address and click How to Enroll: http://www.lotus.com/services/passport.nsf/ WebDocs/Passport_Advantage_Home By phone For the phone number to call in your country, go to the IBM Software Support site at the following Web address and click the name of your geographic region: http://techsupport.services.ibm.com/guides/contacts.html v For IBM eServer software products (including, but not limited to, DB2 and WebSphere products that run in System z, pSeries, and iSeries environments), you can purchase a software maintenance agreement by working directly with an IBM sales representative or an IBM Business Partner. For more information about support for eServer software products, go to the IBM eServer Technical Support Advantage site at the following Web address: http://www.ibm.com/servers/eserver/techsupport.html If you are not sure what type of software maintenance contract you need, call 1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to the contacts page of the IBM Software Support Handbook at the following Web address and click the name of your geographic region for phone numbers of people who provide support for your location: http://techsupport.services.ibm.com/guides/contacts.html To 1. 2. 3. contact IBM Software support, follow these steps: Determining the business impact Describing problems and gathering information on page 648 Submitting problems on page 648
Determining the business impact

When you report a problem to IBM, you are asked to supply a severity level. Therefore, you need to understand and assess the business impact of the problem that you are reporting. Use the following severity criteria:
647
Severity 1 The problem has a critical business impact. You are unable to use the program, resulting in a critical impact on operations. This condition requires an immediate solution. Severity 2 The problem has a significant business impact. The program is usable, but it is severely limited. Severity 3 The problem has some business impact. The program is usable, but less significant features that are not critical are unavailable. Severity 4 The problem has minimal business impact. The problem causes little impact on operations, or a reasonable circumvention to the problem was implemented.
Describing problems and gathering information

When explaining a problem to IBM, be as specific as possible. Include all relevant background information so that IBM Software Support specialists can help you solve the problem efficiently. To save time, know the answers to these questions: v What software versions were you running when the problem occurred? v Do you have logs, traces, and messages that are related to the problem symptoms? IBM Software Support is likely to ask for this information. v Can you create the problem again? If so, what steps were performed to encounter the problem? v Was any change made to the system? For example, were there changes to the hardware, operating system, networking software, and so on. v Are you currently using a workaround for this problem? If so, please be prepared to explain it when you report the problem.
Submitting problems
You can submit your problem to IBM Software Support in one of two ways: Online Go to the Submit and track problems page on the IBM Software Support site at the following address, and provide your information into the appropriate problem submission tool: http://www.ibm.com/software/support/probsub.html By phone For the phone number to call in your country, go to the contacts page of the IBM Software Support Handbook at the following Web address and click the name of your geographic region: http://techsupport.services.ibm.com/guides/contacts.html If the problem you submit is for a software defect or for missing or inaccurate documentation, IBM Software Support creates an Authorized Program Analysis Report (APAR). The APAR describes the problem in detail. Whenever possible, IBM Software Support provides a workaround that you can implement until the APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the IBM product support Web pages daily, so that other users who experience the same problem can benefit from the same resolution.
648
For more information about problem resolution, see Searching knowledge bases on page 645 and Obtaining fixes on page 645.
649
650
Appendix D. Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. However, it is the user responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
651
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements, or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information is for planning purposes only. The information herein is subject to change before the products described become available. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not
652
been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBMs application programming interfaces. Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows: (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. Copyright IBM Corp. _enter the year or years_. All rights reserved. If you are viewing this information in softcopy form, the photographs and color illustrations might not be displayed.
Trademarks
IBM, the IBM logo, AIX, DB2, IBMLink, Tivoli, Tivoli Enterprise Console, and TME are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Adobe, the Adobe logo, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Appendix D. Notices
653
UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others.
654
Glossary
This glossary defines the technical terms and abbreviations that are used in Tivoli Access Manager. If you do not find the term or abbreviation for which you are looking, refer to the IBM Terminology Web site at the following Web address: http://www.ibm.com/ibm/terminology The following cross-references are used among terms: Contrast with Refers the reader to a term that has an opposed or substantively different meaning. See Refers the reader to a term that is the expanded form of an abbreviation or acronym or to a synonym or more preferred term.
ACL entry. Data in an access control list that specifies a set of permissions. ACL policy. Part of the security policy that contains ACL entries that control who can access which domain resources and perform which actions. See also authorization rule and protected object policy. action. An access control list (ACL) permission attribute. See also access control list. action group. A set of actions that are explicitly associated with a resource or set of resources. ADI. See access decision information. ADK. See application development kit administration service. An authorization API runtime plug-in that can be used to perform administration requests on a Tivoli Access Manager resource manager application. The administration service responds to remote requests from the pdadmin command to perform tasks, such as listing the objects under a particular node in the protected object tree. Customers may develop these services using the authorization ADK. application development kit (ADK). A set of tools, APIs, and documentation to assist with the development of software in a specific computer language or for a particular operating environment. attribute. A characteristic or trait of an entity that describes the entity. An attribute can have a type, which indicates the range of information given by the attribute, and a value, which is within a range. In XML, for example, an attribute consists of a name-value pair within a tagged element and modifies a feature of an element. attribute list. A linked list that contains extended information that is used to make authorization decisions. Attribute lists consist of a set of name-value pairs. audit event. A record of an operation in the audit log or change history; for example, an audit entry is created when a resource is modified. audit level. The types of user actions that are currently being audited for the entire system or for specific users on the system. Actions that can be audited include authority failures and restoring objects. A record of each action is written to the audit journal. audit trail. A chronological record of events that enables the user to examine and reconstruct a sequence
See also Refers the reader to a related term. Obsolete Indicates that the term should not be used and refers the reader to the preferred term.
A
access control. In computer security, the process of ensuring that only authorized users can access the resources of a computer system in authorized ways. access control list (ACL). In computer security, a list with an object that identifies all the subjects that can access the object and their access rights. For example, an access control list is a list that is associated with a file that identifies the users who can access the file and identifies the users' access rights to that file. access decision information (ADI). The data and attributes that are used by the authorization engine to evaluate a rule. Authorization API attributes are name-value pairs, form the basis of all ADI that can be referenced in a rule or presented to the authorization engine. access permission. The access privilege that applies to the entire object. account. Information about an identity. ACL. See access control list.
655
of events. Audit trails are useful for managing security and for recovering lost transactions. audit trail file. The file that contains the audit trail. authentication. In computer security, the process that verifies identity. Authentication is distinct from authorization; authorization is concerned with granting and denying access to resources. See also multi-factor authentication, network-based authentication, and step-up authentication. authorization. In computer security, the process that grants or denies access to resources. Security uses a two-step process: after authentication has verified the identity, authorization allows the resource or process access to various resources based on its identity. authorization API. The Tivoli Access Manager component that passes requests for authorization decisions from the resource manager to the authorization evaluator. See also authorization server and authorization service. authorization evaluator. The decision-making process that determines whether a client can access a protected resource based on the security policy. The evaluator makes its recommendation to the resource manager, which, in turn, responds accordingly. authorization rule. Part of the security policy that define conditions that are contained in authorization policy. An authorization rule is used to make access decisions based on attributes such as user, application, and environment context. See also ACL policy and protected object policy. authorization server. The Tivoli Access Manager component that runs the authorization service. See also authorization service. authorization service. A dynamic or shared library that can be loaded by the authorization API runtime client at initialization time to perform operations that extend a service interface in the Authorization API.
one are the only two values that can be returned; a value of zero represents false while a value of one represents true. business entitlement. The supplemental attribute of a user credential that describes the fine-grained conditions that can be used in the authorization process.
C
CA. See certificate authority. CDAS. Obsolete. See external authentication C API. CDMF. See cross domain mapping framework. certificate. In computer security, a digital document that binds a public key to the identity of the certificate owner, thereby enabling the certificate owner to be authenticated. A certificate is issued by a certificate authority. certificate authority (CA). An organization that issues certificates. A CA creates digital signatures and public-private key pairs. The CA guarantees the identity of the individual who is granted the unique certificate and guarantees the services that the owner is authorized to use, to issue new certificates, and to revoke certificates that belong to users and organizations who are no longer authorized to use the services. The role of the CA s to authenticate the entities (users and organizations) involved in electronic transactions. Because the CA guarantees that the two parties that are exchanging information are really who they claim to be, the CA is a critical component in data security and electronic commerce. CGI. See common gateway interface. cipher. A cryptographic algorithm that is used to encrypt data that is unreadable until it is converted into plain data (decrypted) with a predefined key. common gateway interface (CGI). An Internet standard for defining scripts that pass information from a Web server to an application program, through an HTTP request, and vice versa. A CGI script is a CGI program that is written in a scripting language, such as Perl. configuration. The manner in which the hardware and software of a system, subsystem, or network are organized and interconnected. connection. (1) In data communication, an association established between functional units for conveying information. (2) In TCP/IP, the path between two protocol applications that provides reliable data stream delivery service. In the Internet, a connection extends from a TCP application on one system to a TCP application on another system. (3) In system
B
BA. See basic authentication. basic authentication. An authentication method that verifies identity using a user name and password. bind. To relate an identifier to another object in a program; for example, to relate an identifier to a value, to an address, or to another identifier or to associate formal parameters to actual parameters. blade. A component that provides application-specific services and components. Boolean. A binary numbering system that is named after mathematician George Boole in which zero and
656
communication, a line over which data can be passed between two systems or between a system and a device. console log agent. A log agent that writes events to standard error or standard output. See also file log agent, pipe log agent, and remote log agent. container object. A structural designation that organizes the object space into distinct functional regions. cookie. Information that a server stores on a client machine and accesses during subsequent sessions. Cookies allow servers to remember specific information about clients. credentials. Detailed information, acquired during authentication, that describes the user, any group associations, and other security-related identity attributes. Credentials can be used to perform a multitude of services, such as authorization, auditing, and delegation. credentials modification service. An authorization API runtime plug-in which can be used to modify a Tivoli Access Manager credential. Credentials modification services developed externally by customers are limited to performing operation to add and remove from the credentials attribute list and only to those attributes that are considered modifiable. cross domain authentication service (CDAS). Obsolete. See external authentication C API. cross domain mapping framework (CDMF). A programming interface that allows a developer to customize the mapping of user identities and the handling of user attributes when WebSEAL e-Community SSO function are used.
digital signature. Information that is encrypted with a private key and is appended to a message to assure the recipient of the authenticity and integrity of the message. The digital signature proves that the message was signed by the entity that owns, or has access to, the private key or shared secret symmetric key. directory schema. The valid attribute types and objectclasses that can appear in a directory. The attribute types and objectclasses define the syntax of the attribute values, which attributes are required, and which attributes are optional. distinguished name (DN). (1) The name that uniquely identifies an entry in a directory. A distinguished name is made up of an attribute-value pairs, separated by commas. (2) A set of name-value pairs (such as cn=common name and c=country) that uniquely identifies an entry in a digital certificate. DMZ. See demilitarized zone. DN. See distinguished name. domain. (1) A logical grouping of resources in a network that share common administration and management. (2) A part of a network that is administered with a common protocol. See also domain name. domain administrator. The administrator for a domain who can assign any of the roles in that domain to subdomains. After assigning roles to subdomains, administrators in that subdomain can assign subdomain users these roles. domain name. In the Internet suite of protocols, the name of a host system. A domain name consists of a sequence of subnames that are separated by a delimiter character. For example, if austin.ibm.com is the fully qualified domain name (FQDN) of a host system, both austin.ibm.com and ibm.com are domain names. dynamic group. A group that is defined using a search expression. When an attribute is added to a directory entry that causes it to match the search expression, the entry automatically becomes a member of the group.
D
daemon. A system process that runs unattended to perform continuous or periodic system-wide functions, such as network control. See also service. data store. A storage area for data, such as a database system, directory, or file. delegate. A user who is authorized to work for another user. The authorization can be made by a user or by an administrator. demilitarized zone (DMZ). In network security, a computer or network that uses a firewall to be isolated from, and to serve as a neutral zone between, a trusted network (for example, a private intranet) and an untrusted network (for example, the Internet). One or more secure gateways usually control access to the DMZ from the trusted or the untrusted network.
E
EAS. See external authorization service. encryption. In computer security, the process of transforming data into a cipher. entitlement. A data structure that contains externalized security policy information. Entitlements contain policy data or capabilities that are formatted in a way that is understandable to a specific application. entitlement service. An authorization API runtime plug-in which can be used to return entitlements from
Glossary
657
an external source for a principal or set of conditions. Entitlements are normally application specific data that will be consumed by the resource manager application in some way or added to the principal's credentials for use further on in the authorization process. Customers may develop these services using the authorization ADK. entity. In object-oriented design, an item that can be treated as a unit and, often, as a member of a particular category or type. An entity can be concrete or abstract. event. Any significant change in the state of a system resource, network resource, or network application. An event can be generated for a problem, for the resolution to a problem, or for the successful completion of a task. event pool. A set of events recognized by an activity. Each activity has its own event pool. The event pool is initialized when the activity is created and is deleted when the activity is deleted. extended attribute. Additional information that the system or a program associates with an object. An extended attribute can be any format, such as text, a bitmap, or binary data. external authentication C API. A C API that enables you to write custom authentication modules that replace or extend the functionality of the builtin authentication process. The identity information is returned through the authentication module interface. Contrast with external authentication HTTP interface. external authentication HTTP interface. An interface that enables you to extend the functionality of the built-in authentication process to allow a remote service to handle the authentication process. The identity information in the HTTP response headers is used to generate user credentials. Contrast with external authentication C API. external authorization service (EAS). An authorization API runtime plug-in that can be used to make application- or environment-specific authorization decisions as part of the authorization decision chain. Customers can develop these services using the authorization ADK. Extensible Markup Language (XML). A standard meta-language for defining markup languages that is based on Standard Generalized Markup Language (SGML). Extensible Stylesheet Language (XSL). A language for specifying style sheets for XML documents. XSL Transformation (XSLT) is used with XSL to describe how an XML document is transformed into another document. See also Extensible Stylesheet Language Transformation.
Extensible Stylesheet Language Transformation (XSLT). An XML processing language that is used to convert an XML document into another document in XML, PDF, HTML, or other format. See also Extensible Stylesheet Language.
F
file log agent. A log agent that writes events to a file. See also console log agent, pipe log agent, and remote log agent. file transfer protocol (FTP). In the Internet suite of protocols, a protocol that can use Transmission Control Protocol (TCP) and Telnet services to transfer files between machines. FTP. See file transfer protocol
G
global sign-on (GSO). A flexible single sign-on solution that enables the user to provide alternative user names and passwords to the back-end Web application server. Through a single login, global sign-on grants users access to the computing resources they are authorized to use. Designed for large enterprises consisting of multiple systems and applications within heterogeneous, distributed computing environments, GSO eliminates the need for users to manage multiple user names and passwords. See also single sign-on. group. A named list of users by which access levels to corporate directories, databases, and servers are assigned. Two or more individual users who are categorized for the purpose of assigning database security settings; for example, administrators must assign individuals to groups before assigning roles. GSO. See global sign-on.
H
host. A computer that is connected to a network and provides an access point to that network. The host can be a client, a server, or both a client and a server simultaneously. HTTP. See hypertext transfer protocol. hypertext transfer protocol (HTTP). In the Internet suite of protocols, the protocol that is used to transfer and display documents.
I
inheritance. An object-oriented programming technique that allows the use of existing classes as a basis for creating other classes.
658
Internet protocol (IP). In the Internet suite of protocols, a connectionless protocol that routes data through a network or interconnected networks. IP acts as an intermediary between the higher protocol layers and the physical network. Internet suite of protocols. A set of protocols developed for use on the Internet and published through the Internet Engineering Task Force (IETF). interprocess communication (IPC). (1) The process by which programs communicate data to each other and synchronize their activities. Semaphores, signals, and internal message queues are common methods of interprocess communication. (2) A mechanism of an operating system that allows processes to communicate with each other within the same computer or over a network. IP. See Internet protocol. IPC. See interprocess communication.
the sender uses the public key to encrypt the message, and the recipient uses the private key to decrypt the message. When the key pair is used for signing, the signer uses the private key to encrypt a representation of the message, and the recipient uses the public key to decrypt the representation of the message for signature verification. Because the private key holds more of the encryption pattern than the public key, the key pair is called asymmetric. key ring. See key file. keystore file. A key file that contains both public keys stored as signer certificates and private keys stored in personal certificates. keytab file. See key table. key table. In the Kerberos protocol, a file that contains service principal names and secret keys. The secret keys should be known only to the services that use the key table file and the key distribution center (KDC). key-value pair. Information that is expressed as a paired set.
J
junction. A logical connection that is created to establish a path from one server to another.
L
LDAP. See lightweight directory access protocol. leaf node. A node that has no children before it in the directory tree. lightweight directory access protocol (LDAP). An open protocol that uses TCP/IP to provide access to directories that support an X.500 model and that does not incur the resource requirements of the more complex X.500 Directory Access Protocol (DAP). For example, LDAP can be used to locate people, organizations, and other resources in an Internet or intranet directory. lightweight third party authentication (LTPA). An authentication protocol that users cryptography to support security across a set of Web servers in a distributed environment. LTPA. See lightweight third party authentication.
K
KDC. See key distribution center. Kerberos. An authentication system that enables two parties to exchange private information over an otherwise open network. It works by assigning a unique key, called a ticket, to each user that logs on to the network. The ticket is then embedded in messages that are sent over the network. The receiver of a message uses the ticket to authenticate the sender. Kerberos ticket. A transparent application mechanism that transmits the identity of an initiating principal to its target. A simple ticket contains the identity, a session key, a timestamp, and other information that is sealed using a secret key. key. In computer security, a sequence of symbols that is used with a cryptographic algorithm for encrypting or decrypting data. See private key and public key. key database file (KDC). See key file. key distribution center. In the Kerberos protocol, the central server, which includes the authentication server and the ticket-granting server. The KDC is sometimes referred to as the Kerberos server. key file. In computer security, a file that contains public keys, private keys, trusted roots, and certificates. key pair. In computer security, a public key and a private key. When the key pair is used for encryption,
M
management domain. The default domain in which Tivoli Access Manager enforces security policies for authentication, authorization, and access control. This domain is created when the policy server is configured. See also domain. management interface. The interface that a domain administrator can use to manage security policy. In Tivoli Access Manager, an administrator can use Web Portal Manager or the pdadmin commands to apply security policy to resources.
Glossary
659
management server. Obsolete. See policy server. master server. In a network environment, the server that has permissions to run commands on all other machines in the environment. The master server is designed to manage the network, clients, and resource objects in the network database. Contrast with replica server metadata. Data that describes the characteristics of stored data. migration. The installation of a new version or release of a program to replace an earlier version or release. MPA. See multiplexing proxy agent. multi-factor authentication. A protected object policy (POP) that forces a user to authenticate using two or more levels of authentication. For example, the access control on a protected resource can require that the users authenticate with both user name/password and user name/token passcode. multiple tenancy server. A server that permits the hosting of multiple customers on a single server instead of multiple client machines. See also protected object policy. multiplexing proxy agent (MPA). A gateway that accommodates multiple client access. These gateways are sometimes known as Wireless Access Protocol (WAP) gateways when clients access a secure domain using a WAP. Gateways establish a single authenticated channel to the originating server and tunnel all client requests and responses through this channel.
user can manipulate as a single unit and perform a task. An object can appear as text, an icon, or both. (3) A named storage space that consists of a set of characteristics that describe the space and, in some cases, data. An object is anything that occupies space in storage, can be located in a library or directory, can be secured, and on which defined operations can be performed. Some examples of objects are programs, files, libraries, and stream files. object space. A virtual representation of the resources to be protected. See also namespace. object type. A categorization or group of object instances that share similar behavior and characteristics.
P
PAC. See privilege attribute certificate. PDCA. See Policy Director Certificate Authority permission. The ability to access a protected object, such as a file or directory. The number and meaning of permissions for an object are defined by the access control list (ACL). See also access control list. pipe log agent. A log agent that writes events as standard input to another program. See also console log agent, file log agent, and remote log agent. policy. A set of rules that are applied to managed resources. policy database. The database that contains the security policy information for all resources in the domain. Each domain has its own policy database. Policy Director Certificate Authority (PDCA). A trusted certificate that is created during the configuration of the policy server and that is used to sign all other Tivoli Access Manager certificates. A PDCA certificate is stored in the master policy database. policy enforcer. A component of a resource manager that directs requests to the authorization service for processing after authorization is granted. Traditional applications bundle the policy enforcer and the resource manager as one process. policy server. The Tivoli Access Manager component that maintains the master policy database, replicates this policy information throughout the secure domain, and updates database replicas whenever a change is made to the master policy database. The policy server also maintains location information about other Tivoli Access Manager and non-Tivoli Access Manager resource managers that are operating in the secure domain.
N
namespace. (1) In XML, a uniform resource identifier (URI) that provides a unique name to associate with all the elements and type definitions in a schema. (2) Space reserved by a file system to contain the names of its objects. network-based authentication. A protected object policy (POP) that controls access to objects based on the Internet protocol (IP) address of the user. See also protected object policy. notification thread. The synchronization mechanism that the policy server uses to inform all database replicas of a change to the master policy database.
O
object. (1) In object-oriented design or programming, a concrete realization (instance) of a class that consists of data and the operations associated with that data. An object contains the instance data that is defined by the class, but the class owns the operations that are associated with the data. (2) Any digital content that a
660
polling. The process by which databases are interrogated at regular intervals to determine if data needs to be transmitted. POP. See protected object policy. portal. A single point of access to diverse information and applications. Users can customize and personalize a portal. principal. (1) An entity that can communicate securely with another entity. (2) An authenticated user. A principal is identified by its associated security context, which defines its access rights. private key. In computer security, a key that is known only to its owner. Contrast with public key. privilege attribute certificate (PAC). A digital document that contains a principal's authentication and authorization attributes and a principal's capabilities. privilege attribute certificate service. An authorization API runtime client plug-in which translates a PAC of a predetermined format in to a Tivoli Access Manager credential, and vice-versa. These services could also be used to package or marshall a Tivoli Access Manager credential for transmission to other members of the secure domain. Customers may develop these services using the authorization ADK. See also privilege attribute certificate. protected object. The logical representation of an actual system resource that is used for applying ACLs and POPs and for authorizing user access. See also protected object policy and protected object space. protected object policy (POP). A type of security policy that imposes additional conditions on the operation permitted by the ACL policy to access a protected object. It is the responsibility of the resource manager to enforce the POP conditions. See also ACL policy, authorization rule, protected object, and protected object space. protected object space. The virtual object representation of actual system resources that is used for applying ACLs and POPs and for authorizing user access. See also protected object and protected object policy. proxy server. A server that receives requests intended for another server and that acts on behalf of a client to obtain the requested service. A proxy server is often used when the client and the server are incompatible for direct connection. For example, a client cannot meet the security authentication requirements of the server but should be permitted some services. public key. In computer security, a key that is made available to everyone. Contrast with private key.
Q
quality of protection. The level of data security, determined by a combination of authentication, integrity, and privacy conditions.
R
record. (1) The storage representation of a single row of a table or other data in a database. (2) A group of related data, words, or fields treated as a unit. registry. The datastore that contains access and configuration information for users, systems, and software. remote cache mode. An operational mode in which a resource manager uses the functions that are provided by the authorization API to communicate to the remote authorization server. remote log agent. A log agent that sends events to a remote server for recording. See also console log agent, file log agent, and pipe log agent. replica server. A server that contains a copy of the directory or directories of another server. Replicas back up master servers or other replica servers to enhance performance or response times and to ensure data integrity. Contrast with master server. resource. A hardware, software, or data entity that is managed. resource group. A group of resources that can include business objects such as contracts or a set of related commands. In access control policies, resource groups specify the resource to which the policy authorizes access. resource manager. (1) An application, program, or transaction that manages and controls access to shared resources, such as memory buffers and data sets. (2) Any server or application that uses the authorization API to process client requests for access to resources. resource object. The representation of an actual network resource, such as a service, file, and program. response file. An ASCII file that can be customized with the setup and configuration data that automates an installation. The setup and configuration data has to be entered during an interactive installation, but with the response file, the installation can proceed without user interaction. See also silent installation. role. A definition of the access permissions that a user or process has and the specific resources that the user or process can modify at those levels. Users and processes are limited in how they can access resources when that user or process does not have the appropriate role.
Glossary
661
role activation. The process of applying access permissions to a role. role assignment. The process of assigning a role to a user, such that the user has the appropriate access permissions for the object defined for that role. root container object. The top-level container object in the hierarchy or resource objects. root domain. Name servers that have authoritative control of all the top-level domains. routing file. An ASCII file that contains commands that control the configuration of messages. routing table. A collection of path information through which hosts or networks can communicate with each other. RSA. A public-key encryption technology that was developed by RSA Data Security, Inc., and used by GSKit. The acronym stands for Rivest, Shamir, and Adleman, the inventors of this encryption technique. RSA encryption. A system for public-key cryptography used for encryption and authentication. The security of the system depends on the difficulty of factoring the product of two large prime numbers. rule. A set of logical statements that enable a server to recognize relationships among events and to perform automated responses accordingly. rules evaluator. The component responsible for evaluating an authorization rule. run time. The time period during which a computer program is running. runtime environment. A subset of an application development kit (ADK) that contains the executable files and other supporting files that comprise the operational environment of the platform.
security context. The digitally signed token that identifies a principal, lists the roles and access rights for the principal, and contains information about when the token expires. security management. The software discipline that addresses how an organization can control access to mission critical applications and data. security policy. (1) A written document that defines the security controls that you institute for your computer systems. A security policy describes the risks that you intend to minimize and the actions that should be taken if someone breaches your security controls. (2) In Tivoli Access Manager, the combination of ACL policies, authorization rules, and protected object policies attached to objects to make them protected objects. See also ACL policy, authorization rule, and protected object policy. self-registration. The process by which a user can enter required data and become a registered user without the involvement of an administrator. service. Work performed by a server. A service can be a simple request for data to be sent or stored (as with file servers, HTTP servers, or e-mail servers), or it can be for more complex requests (as with print servers or process servers). See also daemon. session. A series of requests to a server or application that originate from the same user at the same browser. silent installation. An installation that does not send messages to the console but instead stores messages and errors in log files. Also, a silent installation can use response files for data input. See also response file. single sign-on (SSO). The mechanism that allows a user to logon once and access multiple applications through a single authorization challenge. Using SSO, a user does not need to log on to each application separately. See also global sign-on. SSL. See Secure Socket Layer. SSO. See single sign-on. stanza. A group of lines in an ASCII file that together have a common function or define a part of a system. Stanzas are usually separated by blank lines or colons, and each stanza has a name. stash file. The local copy of the master key file that resides in an encrypted format on the local disk. step-up authentication. A protected object policy (POP) that relies on a preconfigured hierarchy of authentication levels and enforces a specific level of authentication according to the policy set on a resource. The step-up authentication POP does not force the user to authenticate using multiple levels of authentication to access any given resource, but it requires the user to
S
scalability. The ability of hardware, software, or a distributed system to maintain performance levels as it increases in size and increases in the number of users who access resources. schema. The set of statements, expressed in a data definition language, that completely describes the structure of data that is stored in a database, directory, or file. Secure Sockets Layer (SSL). A security protocol that provides communication privacy. SSL enables client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery.
662
authenticate at a level at least as high as that required by the policy protecting a resource. See also protected object policy. suffix. A distinguished name that identifies the top entry in a locally held directory hierarchy. Because of the relative naming scheme used in Lightweight Directory Access Protocol (LDAP), this suffix applies to every other entry within that directory hierarchy. A directory server can have multiple suffixes, each identifying a locally held directory hierarchy.
W
Web Portal Manager (WPM). A Web-based graphical application used to manage Tivoli Access Manager security policy in a secure domain. An alternative to the pdadmin command line interface, this GUI enables remote administrator access and enables administrators to create delegated user domains and assign delegate administrators to these domains. Web resource. Any one of the resources that are created during the development of a Web application; for example, Web projects, HTML pages, JSP files, servlets, custom tag libraries, and archive files. WebSEAL. A high performance, multi-threaded Web server that applies a security policy to a protected object space. WebSEAL can provide single sign-on solutions and incorporate back-end Web application server resources into its security policy. Web session. See session. WPM. See Web Portal Manager.
T
ticket. See Kerberos ticket. token. A sequence of bits (symbol of authority) that is passed successively along a transmission medium from one device to another to indicate the device that is temporarily in control of the transmission medium. Each device can acquire and use the token to control the medium. trusted root. In the Secure Sockets Layer (SSL), the public key and associated distinguished name of a certificate authority (CA). See also Secure Socket Layer.
X
XML. See Extensible Markup Language. XML transform. A standard that uses XSL stylesheets to transform XML documents into other XML documents or fragments or to transform XML documents into HTML documents. XSL. See Extensible Stylesheet Language. XSL stylesheet. Code that describes how an XML document should be rendered (displayed or printed). XSLT. See Extensible Stylesheet Language Transformation.
U
uniform resource identifier (URI). The character string used to identify an abstract or physical resource on the Internet. A URI typically describes how to access the resource, the computer that contains the resource, and the name of the resource. The most common form of URI is the Web page address, which is a particular subset or URI called uniform resource locator (URL). See also uniform resource locator. uniform resource locator (URL). A character string that represent resources on a computer or in a network, such as the Internet. The URL includes the abbreviated name of the protocol used to access the information resource and the information used by the protocol to locate the resource. URI. See uniform resource identifier. URL. See uniform resource locator. user. Any person, organization, process, device, program, protocol, or system that uses a service provided by others. user registry. See registry.
V
virtual hosting. The capability of a Web server that allows it to appear as more than one host to the Internet.
Glossary
663
664
Index Special characters

.kdb key database file 475, 482, 501, 504 .sth stash file 475, 502, 505 Access Manager Session Management Server See session management server Access Manager Web Security Runtime overview 8 Access Manager WebSEAL overview 8 access, HTTP 471 access, HTTPS 471 accessibility xiii Active Directory administrator ID 384, 453 administrator password 384, 453 configuration considerations 114 configuring SSL 488 creating a domain 115 creating an administrative user 118 data location distinguished name 388 data location distinguished name * 453 documentation 114 domain controller host name 386, 451 joining a domain 116 multiple domains 386, 451 pdconfig runtime options 451 registry 13, 382, 451 replicating 119 runtime configuration options 382 setting up 114 Active Directory Application Mode configuring SSL 491 management domain location for 140 registry 14 activedir.conf 454 ADK Access Manager ADK 8 Access Manager component 5 configuration options 396 installing an ADK on AIX 164 installing an ADK on HP-UX 165 installing an ADK on HP-UX on Integrity 165 installing an ADK on Linux 167 installing an ADK on Solaris 168 installing an ADK on Solaris on x86_64 168 installing an ADK on Windows 170 installing using a wizard 163 installing using the native utilities 164 setting up a development system 163 uninstalling on AIX 352 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 354 uninstalling on Solaris 356 uninstalling on Solaris on x86_64 356 uninstalling on Windows 358 ADK development system installation components 15 ADK, WebSEAL configuration options 430 administration IDs required for DB2 362 administration request port 458, 467
A
Access Manager ADK overview 8 Access Manager Plug-in for Edge Server overview 8 Access Manager Plug-in for Web Servers overview 8 Access Manager Runtime Active Directory configuration options 382 configuration options 408 Domino configuration options 389 installation directory 379, 383 installing on AIX 193 installing on HP-UX 194 installing on Linux 195 installing on Solaris 197 installing on Solaris on x86_64 197 installing on Windows 199 installing using the wizard 191 LDAP configuration options 378 pdconfig options (Active Directory) 451 pdconfig options (Domino) 455 pdconfig options (LDAP) 448 uninstalling on AIX 352 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 355 uninstalling on Solaris 357 uninstalling on Solaris on x86_64 357 uninstalling on Windows 358 Access Manager Runtime for Java configuration options 397 configuration type 459 installation components 16 installing on AIX 175 installing on HP-UX 176 installing on Linux 177 installing on Solaris 178 installing on Solaris on x86_64 178 installing on Windows 180 installing using native utilities 175 installing using the wizard 173 overview 6 pdconfig options 459 setting up 173 uninstalling on AIX 352 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 355 uninstalling on Solaris 357 uninstalling on Solaris on x86_64 357 uninstalling on Windows 358 Access Manager Session Management Command Line See session management command line
665
administrative user creating for Lotus Domino 110 creating for Microsoft Active Directory 118 administrator ID for management domain 458, 461, 462, 464, 465, 467, 471 IDS (Tivoli Directory Server) 364 LDAP DN 374 LDAP password 374 local ID 457 local password 457 password 364, 373 sec_master password 373 administrator DN setting Instance Administration Tool 93 administrator ID Active Directory 384, 453 ID for management domain 470 administrator IDs required for Tivoli Access Manager 30 administrator IDs, required db2admin (Windows) 59 ldapdb2 (UNIX) 59 administrator password Active Directory 384, 453 setting Instance Administration Tool 93 AIX installing a development (ADK) system 164 installing a policy proxy server 183 installing Access Manager Runtime 193 installing Access Manager Runtime for Java 175 installing GSKit 312 installing IBM Java Runtime 318 installing IBM Tivoli Directory Server 62 installing language packages 39 installing session management command line 298 installing session management server 285 installing the attribute retrieval service 220 installing the authorization server 155 installing the plug-in for Apache Web Server 242 installing the plug-in for Edge Server 226 installing the plug-in for IBM HTTP Server 247 installing the plug-in for Sun Java System Web Server 254 installing the policy server 142 installing the Tivoli Directory Server client 327 installing the Web security development (ADK) 261 installing Tivoli Security Utilities 323 installing Web Administration Tool 338 installing Web Portal Manager 204 installing WebSEAL 269 installing WebSphere Application Server 333 setting the EXTSHM environment variable 241, 243, 248 uninstalling components 351 am_key.kdb sample key file 58, 360, 369 amauditcfg utility 548 amldif2V6 command 138 amwebcfg utility 552 amwpmcfg utility 557 Apache Web Server installation components 18 application server definition 522 ARS See attribute retrieval service attribute retrieval service configuration options 434
attribute retrieval service (continued) installation components 17 installing on AIX 220 installing on HP-UX 221 installing on Linux 222 installing on Solaris 223 installing on Windows 223 installing using native utilities 220 installing using the wizard 219 local host name 457 overview 8 pdconfig options 457 setting up 219 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 355 uninstalling on Windows 358 Attribute Retrieval Service uninstalling on AIX 352 uninstalling on Solaris 356 uninstalling on Solaris on x86_64 356 auditing configuring 548 starting 548 stopping 548 authentication server 480 server and client 480, 504 authority object 495 authorization policy updates listening port number 464 authorization request port number 458 authorization request port 458 authorization server configuration options 392 installation components 15 installing on AIX 155 installing on HP-UX 156 installing on HP-UX on Integrity 156 installing on Linux 158 installing on Solaris 159 installing on Solaris on x86_64 159 installing on Windows 161 installing using native utilities 155 installing using the wizard 154 local host name 458 overview 5 pdconfig options 458 setting up 153 uninstalling on AIX 352 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 355 uninstalling on Solaris 356 uninstalling on Solaris on x86_64 356 uninstalling on Windows 358
B
backing up database idsdbback command 99 base components Access Manager License 7 Access Manager Runtime for Java Application Development Kit 5 authorization server 5
666
base components (continued) policy proxy server 5 policy server 6 runtime 6 Tivoli Security Utilities 7 Web Portal Manager 7 base system installation 53 base systems options files 607 bassslcfg add replica (deprecated) 561 change password 561 change replica (deprecated) 561 configure 561 get certificate 561 get management domain 561 modify 561 ping server 561 remove replica (deprecated) 561 bassslcfg utility 561 books see publications ix, xii
C
CARS See Common Audit Web service certificate server 498, 499 Certificate Authority adding a signer certificate 477, 502, 506, 508 receiving personal certificate 476, 506 requesting personal certificate 476, 505 certificate authority object 495 certificate file, pdcacert.b64 144 certificate label SSL key file 373 certificate label, SSL 453, 472 certificate lifecycle, SSL 373 certificates creating authority object 495 exporting on Active Directory server 488 extracting self-signed for Novell eDirectory server importing on LDAP client system 489 lifecycle 465 signer 497 client authentication, LDAP 504 client certificate label 453, 472 client key file 463 client system, LDAP 489 cluster resources 518 cluster topology 516 cn=root LDAP administrator DN 374 code sets file directory locations 50 language support 50 command line IBM Tivoli Directory Server 104 commands amldif2V6 138 gskkyman 486 ibmdirctl 481, 483 idscfgdb 98 idscfgsuf 100 idsdiradm 481 idsidrop 350 idsldapmodify 481
496
commands (continued) idsldapsearch 482, 509 idsslapd 481 install_amwebadk 259 install.exe 337 installp (AIX) plug-in for Apache Web Server 242 plug-in for Edge Server 226 plug-in for IBM HTTP Server 247 plug-in for Sun Java System Web Server 254 Web security development (ADK) 261 ivrgy_tool.exe 130 locale 47, 55 pdconfig 447 pkgadd (Solaris on x86_64) 187 pkgadd (Solaris) 187 plug-in for Apache Web Server 245 plug-in for Edge Server 228 plug-in for IBM HTTP Server 250 plug-in for Sun Java System Web Server 256 Web security development (ADK) 264 pkmspasswd 107 ps 132 rpm (Linux) 249, 263 plug-in for Apache Web Server 244 plug-in for Edge Server 227 setup.exe (Windows) 188 plug-in for Edge Server 230 plug-in for Internet Information Services 253 Web security development (ADK) 265 startServer 101 startServer.bat 343 swinstall (HP-UX) Web security development (ADK) 262 commands (Tivoli Directory Server) ibmdiradm 101 idscfgdb 98 idsldapadd 105 idsucfgdb 349 idsxcfg 96, 349 idsxinst 350 ldapmodify 108 commands, configuration 547 amwpmcfg 203 pdjrtecfg 203 commands, installation gsk7ikm (GSKit) 311 install_amacld 154 install_amadk 163 install_amjrte 173 install_ammgr 141 install_amproxy 181 install_amrte 191 install_amsms 282 install_amsmscli 296 install_amweb 267 install_amwebars 219 install_amwpi 241 install_amwpm 201 install_ldap_server 57 Common Audit Web service configuring 548 unconfiguring 548 common problems reporting describing problem 648 determining business impact 647 Index
667
common problems (continued) reporting (continued) gathering information 648 submitting problems 648 components required for Tivoli Access Manager 15 Tivoli Access Manager base 5 Tivoli Access Manager prerequisites 10 Tivoli Access Manager Web security 8 unconfiguring for Tivoli Access Manager 348 configuration HACMP example 515 SSL for Tivoli Directory Server 474 Tivoli Access Manager for LDAP 106 Tivoli Directory Server for Tivoli Access Manager 100 configuration commands 547 configuration considerations Microsoft Active Directory 114 configuration files activedir.conf 454 httpd.conf 205 ibmproxy.conf 227 osdef.conf 232 pdwebpi.conf 242 slapd.conf 485 Web servers on UNIX 462 configuration options Access Manager Runtime 408 Access Manager Runtime (Active Directory) 451 Access Manager Runtime (Domino) 455 Access Manager Runtime (LDAP) 448 Access Manager Runtime for Java 397, 459 Active Directory 382 attribute retrieval service 434, 457 authorization server 392, 458 development (ADK) 396 Domino 389 LDAP 378 pdconfig 447 Plug-in for Edge Server 461 plug-in for Web Servers 435 Plug-in for Web Servers on UNIX 462 Plug-in for Web Servers on Windows 464 policy proxy server 404, 467 policy server 399, 465 session management command line 420 session management server 409 Tivoli Directory Server 442 Web Portal Manager 439, 468 Web Security ADK 430 WebSEAL 424, 471 configuration type, JRE 459 configuration, plug-in for Edge Server object space model 235 overview 231 server concepts 233 server model 232 single sign-on model 236 summarizing for Edge Server 237 configure smscfg utility 594 configuring database Configuration Tool 97 connection timeout 465 connections, encrypted 386, 451 considerations Microsoft Active Directory 114
console mode installation 25 conventions typeface xiv creating standby policy server 523 creation Microsoft Active Directory administrative user Microsoft Active Directory domain 115 customer support contacting 647 obtaining fixes 645 receiving updates from 646 registering with 646 searching information centers 645 searching knowledge bases 645 searching the Internet 645 submitting problems 648
118
D
data location distinguished name 388, 453 database configuring idscfgdb command 98 Instance Administration Tool 92 database instance owner creating 59 requirements 59 database name 98 Tivoli Access Manager 391, 455 database owner creating 59 requirements 59 database owner ID, DB2 362 database, backing up idsdbback command 99 database, configuring Configuration Tool 97 DB2 administration ID 362 database owner ID 362 uninstalling on AIX 352 uninstalling on HP-UX 354 uninstalling on HP-UX on Integrity 354 uninstalling on Linux 355 uninstalling on Solaris 357 uninstalling on Solaris on x86_64 357 defaults port numbers 33 deployment planning for 3 deprecated bassslcfg chg_replica 561 bassslcfg rmv_replica 561 basssslcfg add_replica 561 development (ADK) system setting up 163, 259 directives for languages 49 directories primary HACMP server 530 standby HACMP server 533 directory name common log file location 460 directory names Access Manager Runtime 379, 383 IBM Global Security Kit 378, 382 IBM Tivoli Directory Server client 378, 382
668
directory names (continued) IBM Tivoli Security Utilities 378, 383 Tivoli Common Directory 379, 454 directory names, notation xv directory server instance backup 99 configuring a database 98 configuring a suffix 99 configuring database 97 creating with Instance Administration Tool 87 removing 350 setting administrator DN and password 96 directory server instance owner creating 59 requirements 59 Directory Server Web Administration Tool 11 distinguished name Active Directory 388 Active Directory data location 453 LDAP administrator 374 DN See distinguished name doAudit stanza entry 548 documentation IBM TAM Language Support for AIX 64 IBM TAM Language Support for HP-UX 64 IBM TAM Language Support for Linux 75 IBM Tivoli Directory Server 54 IBM z/OS LDAP Server 108 Microsoft Active Directory 114 Novell eDirectory 127 Sun Java System Directory Server 132 domain creating for Microsoft Active Directory 115 joining for Microsoft Active Directory 116 domain controller host name 386, 451 Active Directory 451 domain name Active Directory 451 domains administrator ID 458, 461, 462 authorization server 458 multiple, Active Directory 386, 451 policy server 459 Tivoli Access Manager 380, 449 Domino Access Manager Runtime pdconfig options 455 registry 389, 455 runtime configuration options 389 server name 391, 455
environment scenario, HACMP 513 environment variables 46 environment variables, notation xv examples HACMP configuration 515 primary HACMP server 530 standby HACMP server 533
F
Federal Information Processing Standard See FIPS files java.security 316 key database (.kbd) 475, 501, 504 key database (.kdb) 482 LDAP SSL client key file 463 PDMdata.nsf 391, 455 stash (.sth) 475, 502, 505 FIPS enabling access on the LDAP server 483 overview 10 fixes, obtaining 645
G
Global Security Kit See GSKit graphical mode installation 23 groups required for Tivoli Access Manager 30 groups, required idsldap 60 gsk7ikm (GSKit) command 311 GSKit iKeyman 22 installing 311 installing on AIX 312 installing on HP-UX 312 installing on HP-UX on Integrity 312 installing on Linux 313 installing on Solaris 314 installing on Solaris on x86_64 314 installing on Windows 315 overview 10 setting up iKeyman utility 315 uninstalling on AIX 351 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 354 uninstalling on Solaris 356 uninstalling on Solaris on x86_64 356 gskkyman command 486
E
Edge Server pdconfig options (UNIX) 461 port number 461, 462 Web Traffic Express 461 education see Tivoli technical training xiii enabling FIPS 483 enabling SSL 473 encrypted connections 386, 451 encryption salt specifying 91 encryption seed specifying 90
H
HACMP configuration example 515 creating a standby policy server 523 environment scenario 513 linking files and directories 529 linking from AIX files to shared directory 532 preinstallation requirements 512 setting UIDs 527 setting up a standby policy server 511 topology, application server definition 522 Index
669
HACMP (continued) topology, cluster resources 518 topology, overall cluster 516 verifying for primary server 530 verifying for standby server 533 High Availability Cluster Multiprocessing See HACMP host name attribute retrieval service 457 LDAP server 372, 380, 448 local 364 policy server 380, 449, 458, 459, 467 policy server (Active Directory) 385, 452 policy server (Domino) 390, 456 WebSEAL 471 host name, local attribute retrieval service 457 authorization server 458 policy proxy server 467 HP-UX installing a development (ADK) system 165 installing a policy proxy server 184 installing Access Manager Runtime 194 installing Access Manager Runtime for Java 176 installing GSKit 312 installing IBM Java Runtime 319 installing IBM Tivoli Directory Server 67 installing language packages 40 installing session management command line 299 installing session management server 286 installing the attribute retrieval service 221 installing the authorization server 156 installing the policy server 144 installing the Tivoli Directory Server client 328 installing the Web security development (ADK) 262 installing Tivoli Security Utilities 323 installing Web Administration Tool 339 installing Web Portal Manager 206 installing WebSEAL 270 installing WebSphere Application Server 334 uninstalling components 353 HP-UX on Integrity installing a development (ADK) system 165 installing a policy proxy server 184 installing GSKit 312 installing IBM Java Runtime 319 installing IBM Tivoli Directory Server 67 installing language packages 40 installing the authorization server 156 installing the policy server 144 installing the Tivoli Directory Server client 328 installing the Web security development (ADK) 262 installing Web Administration Tool 339 installing WebSEAL 270 installing WebSphere Application Server 334 uninstalling components 353 HTTP access 471 port 471 httpd.conf 205 HTTPS access 471 port 471
I
IBM DB2 configuration options 363 IBM Global Security Kit installation directory 378, 382 IBM Global Security Kit (GSKit) See GSKit IBM HTTP Server uninstalling on AIX 352 uninstalling on HP-UX 354, 358 uninstalling on Linux 356 uninstalling on Solaris 357 IBM Java Runtime See also JRE installing 318 installing on AIX 318 installing on HP-UX 319 installing on HP-UX on Integrity 319 installing on Linux 320 installing on Solaris 321 installing on Solaris on x86_64 321 installing on Windows 321 pdconfig options 459 IBM Network Authentication Service Toolkit 12 IBM Tivoli Configuration Manager See IBM Tivoli Configuration Manager IBM Tivoli Directory Integrator for idssupport tool 65, 69, 75, 80, 86 for log management tool 65, 69, 75, 80, 86 for SNMP 65, 69, 75, 80, 86 IBM Tivoli Directory Server See Tivoli Directory Server command line 104 configuration options 364 installation components 16 installation on AIX 62 installation wizard 57 installing on HP-UX 67 installing on HP-UX on Integrity 67 installing on Linux 72 installing on Solaris 78 language support packages (one required) 39 native utilities 58 overview 11 registry 13 setup 54 Web Administration Tool 101 IBM Tivoli Directory Server client See also Tivoli Directory Client See also Tivoli Directory Server client installation directory 378, 382 IBM Tivoli Directory Server interface See Web Administration Tool IBM Tivoli Security Utilities See Tivoli Security Utilities installation directory 378, 383 IBM WebSphere Application Server See WebSphere Application Server IBM z/OS configuring SSL 485 creating key database file 486 IBM z/OS LDAP Server adding suffixes 106 configuring Tivoli Access Manager for LDAP 106 documentation 108 native authentication 107 registry 13
670
IBM z/OS LDAP Server (continued) setting up 105 updating schema files 106 ibmdiradm command 101 ibmdirctl command 481, 483 ibmproxy.conf configuration file 227 idscfgdb 98 idscfgdb command 98 idscfgsuf 100 idsdbback command 99 idsdiradm command 481 idsidrop 350 idsldap group 60 idsldapadd command 105 idsldapmodify command 481 idsldapsearch command 482, 509 idsslapd command 481 idssupport tool requirement for IBM Tivoli Directory Integrator 65, 69, 75, 80, 86 idsucfgdb command 349 idsxcfg command 96, 349 idsxinst command 350 iKeyman 22 iKeyman utility setting the environment variable 322 setting up 315 information centers, searching 645 install_amacld 23 install_amacld command 154, 392 install_amadk 24 install_amadk command 163, 396 install_amjrte 24 install_amjrte command 173, 397 install_ammgr 24 install_ammgr command 141, 369, 399 install_amproxy 24 install_amproxy command 181, 404 install_amrte 24 Active Directory 382 install_amrte command 191, 408 configuring, runtime for Active Directory 382 configuring, runtime for Domino 389 configuring, runtime for LDAP 378 install_amsms 24 install_amsms command 282, 409 install_amsmscli 24 install_amsmscli command 296, 420 install_amweb command 24, 267, 424 install_amwebadk command 24, 259, 430 install_amwebars command 24, 219, 434 install_amwpi command 24, 241, 435 install_amwpm 24 install_amwpm command 201, 439 install_ldap_server 23, 24, 53 install_ldap_server command 57, 360, 361, 442 install.exe command 337 installation base components 5 base system 53 default port numbers 33 IBM Tivoli Directory Server language support 39 language support 37 methods 23 overview 3 planning for 1 process 21
installation (continued) session management system 279 Tivoli Access Manager components 5 using the native utilities 26 using the wizard 23 using Tivoli Configuration Manager 26 Web security components 8 Web security system 219 installation commands IBM Tivoli Directory Server pkgadd 78 IBM Tivoli Directory Server rpm 72 install_ldap_server 53 installp 39, 62 swinstall 40 swinstallp 40 installation components Access Manager Runtime 16 Access Manager Runtime for Java 16 attribute retrieval service 17 authorization server 15 development (ADK) system 15 IBM Tivoli Directory Server 16 plug-in for Apache Web Server 18 plug-in for Edge Server 18 plug-in for IBM HTTP Server 18 plug-in for IIS 18 plug-in for Sun ONE Web Server 19 policy proxy server 16 policy server 16 session management command line 20 session management server 19 Web Portal Manager 16 Web security development (ADK) 17 WebSEAL 17 installation modes console 25 graphical 23 interactive 25 response file 25 silent 25 text-based 25 installation packages AIX 64, 66 installation path default, Windows 83 installation scenarios install_ammgr wizard 369 install_ldap_server wizard 360 installation utilities install_amacld 23 install_amadk 24 install_amjrte 24 install_ammgr 24 install_amproxy 24 install_amrte 24 install_amsms 24 install_amsmscli 24 install_amweb 24 install_amwebadk 24 install_amwebars 24 install_amwpi 24 install_amwpm 24 install_ldap_server 23, 24 installation wizards attribute retrieval service 219 install_amacld 154, 392 install_amadk 163, 396 Index
671
installation wizards (continued) install_amjrte 173, 397 install_ammgr 141, 369, 399 install_amproxy 404 install_amrte 408 install_amrte (Active Directory) 382 install_amrte (Domino) 389 install_amrte (LDAP) 378 install_amsms 409 install_amsmscli 420 install_amweb 424 install_amwebadk 430 install_amwebars 434 install_amwpi 435 install_amwpm 439 install_ldap_server 57, 360, 361, 442 installing Access Manager Runtime 191 installing the policy proxy server 181 installing the session management server 282 plug-in for Web servers 241 session management command line 296 Web Portal Manager 201 Web security development (ADK) 259 WebSEAL 267 installation wizards options Access Manager Runtime (Active Directory) 382 Access Manager Runtime (Domino) 389 Access Manager Runtime (LDAP) 378 authorization server 392 development (ADK) 396 installations silent 607 installing IBM Java Runtime 318 IBM Tivoli Directory Server client 327 IBM Tivoli Directory Server, native utilities 58 policy server on HP-UX 144 policy server on HP-UX on Integrity 144 Web Administration Tool 338 WebSphere Application Server 333 installp (AIX) command plug-in for Edge Server 226 plug-in for IBM HTTP Server 242, 247 plug-in for Sun Java System Web Server 254 Web security development (ADK) 261 installp command IBM Tivoli Directory Server 62 installing language packages 39, 40 Instance Administration Tool description 87 instance name, WebSEAL 471 instance, directory server creating 87 creating with Instance Administration Tool 87 removing 350 interactive installation 25 internationalization code sets 50 IBM Tivoli Directory Server language support 39 installing language support 37 LANG variable 47 languages supported 36 locale environment variables 46 locale variants 48 message catalogs 49 uninstalling language support 44 Windows LANG variable 48
Internet, searching 645 iPlanet Directory Server See Sun Java System Directory Server ivrgy_tool utility 569 ivrgy_tool.exe 130
J
Java Runtime Environment configuration type 459 IBM Java Runtime 318 path name 459 pdconfig options 459 Java virtual machine 361 java.security file for iKeyman 316 join Microsoft Active Directory domain 116 JRE See also Java Runtime Enviroment See also Java Runtime Environment IBM Java Runtime 11 JVM See Java virtual machine
K
key database file creating for LDAP clients creating for LDAP server creating for LDAP servers key file am_key.kdb 58, 360, knowledge bases information centers 645 searching 645 the Internet 645 504 486 474, 501 369
L
label SSL client certificate label 463 LANG environment variable 46 UNIX 47 Windows 48 language directives 49 language settings 46 language support code sets 50 Common Auditing and Reporting Service 37 IBM Tivoli Directory Server 39 installation packages 37 locale names for UNIX 47 locale names for Windows 48 locale variables 46 locale variants, implementing 48 message catalogs 49 overview 36 uninstallation 44 language support documentation AIX 64 HP-UX 64 Linux 75 LDAP Access Manager Runtime pdconfig options 448 client key file 472 importing certificate on client system 489 registry 378, 448
672
LDAP administrator 374 LDAP data format converting from standard to minimal 138 minimal 137 standard 138 LDAP server configuring SSL 504 enabling FIPS 483 host name 372, 380, 448 port 372 port number 380, 449 SSL port number 463 LDAP Server SSL client key file 463 LDAP_ADMINLIMIT_EXCEEDED 638 ldapmodify command 108 ldp Windows Support tool 488 license overview 7 uninstalling on AIX 352 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 355 uninstalling on Solaris 356 uninstalling on Solaris on x86_64 356 uninstalling on Windows 358 lifecycle, certificates 465 linking, HACMP primary system files and directories 529 standby system files and directories 532 Linux code set file location 50 installing a development (ADK) system 167 installing a policy proxy server 185 installing Access Manager Runtime 195 installing Access Manager Runtime for Java 177 installing GSKit 313 installing IBM Java Runtime 320 installing IBM Tivoli Directory Server 72 installing session management command line 301 installing session management server 287 installing the attribute retrieval service 222 installing the authorization server 158 installing the plug-in for Apache Web Server 244 installing the plug-in for Edge Server 227 installing the plug-in for IBM HTTP Server 249 installing the policy server 146 installing the Tivoli Directory Server client 329 installing the Web security development (ADK) 263 installing Tivoli Security Utilities 324 installing Web Administration Tool 340 installing Web Portal Manager 208 installing WebSEAL 272 installing WebSphere Application Server 335 LANG variable 47 language support package location 44 message catalogs 49 text encoding 50 uninstall language support packages 44 uninstalling components 354 listening port authorization policy updates 464 Edge Server 462 policy server (Active Directory) 385, 452 policy server (Domino) 390, 456 WebSEAL 471
listening port, SSL registry server 387, 449, 452 local administrator ID 457 local host name 364 attribute retrieval service 457 authorization server 458 policy proxy server 467 locale 47, 55 locale environment variables 46 locale names UNIX 47 Windows 48 locale variants 48 log files msg__ldaps_install.log 368 log management tool requirement for IBM Tivoli Directory Integrator 65, 69, 75, 80, 86 logical network interface 471 look-through limit 638 Lotus Domino creating a Tivoli Access Manager administrative user 110 installing a Lotus Notes client 112 registry 13 setting up 108 Lotus Notes client installing on Tivoli Access Manager system 112
M
management domain 4, 380, 449 management domain creation 21 Management Domains 138 creating 139 location for Active Directory Application Mode registry 140 manuals see publications ix, xii message catalog internationalization 49 language directories 49 methods of installation 23 mgrsslcfg change certificate 572 change password 572 configure 572 modify 572 Microsoft Active Directory See Active Directory Microsoft Active Directory Application Mode See ADAM setting up 119 msg__ldaps_install.log file 368 multiple Active Directory domains 386, 451
N
native authentication IBM z/OS LDAP Server 107 Lotus Domino 110 native installation overview 26 native utilities attribute retrieval service 220 IBM Tivoli Directory Server 58 installing a development (ADK) system
164 Index
673
native utilities (continued) installing Access Manager Runtime for Java 175 installing session management server 285 installing the authorization server 155 installing the policy proxy server 182 installing the policy server 142 installing Tivoli Access Manager runtime 193 installing, session management command line 298 plug-in for Web servers 242 Web Portal Manager 203 Web security development (ADK) 260 WebSEAL 269 NLSPATH environment variable 49 node name attribute retrieval service 457 non-SSL port 365 notation environment variables xv path names xv typeface xv Notes client password 391, 455 Novell eDirectory documentation 127 registry 14 setting up 127 Novell eDirectory server configuring SSL 495 creating organizational certificate authority object 495 extracting a self-signed certificate 496
overview (continued) session management server 9 Tivoli Directory Server client 11 Tivoli Security Utilities 7 Web Administration Tool 11 Web Portal Manager 7 Web security runtime 8 WebSphere Application Server 12
P
packages attribute retrieval service 220 for language 37 IBM Global Security Kit (GSKit) 10, 311 IBM Java Runtime 318 IBM Tivoli Directory Server client 327 IBM Tivoli Directory Server language support language support 37 plug-in for Web servers 242 Tivoli Access Manager runtime 193 Tivoli Security Utilities 323 uninstalling language support 44 Web Administration Tool 338 Web security components 8 WebSphere Application Server 333 packages, installation AIX 64, 66 Password policy LDAP 637 passwords Active Directory 384, 453 administrator confirmation 373 LDAP administrator 374 Notes client 391, 455 sec_master 373 SSL key file 365 Tivoli Directory Server 364 path name Java Runtime Environment 459 Web Servers (UNIX) 462 path names, notation xv pdbackup utility 574 pdcacert.b64 certificate file 144 pdconfig command Access Manager Runtime (LDAP) 448 pdconfig configuration command 447 pdconfig configuration utility 193 pdconfig options Access Manager Runtime for Java 459 attribute retrieval service 457 authorization server 458 Plug-in for Edge Server 461 Plug-in for Web Servers on UNIX 462 Plug-in for Web Servers on Windows 464 policy proxy server 467 policy server 465 Web Portal Manager 468 WebSEAL 471 pdconfig utility 578 installing a development (ADK) system 164 pdinfo utility (deprecated) See pdbackup pdjrtecfg configuring Java runtime component 579 PDMdata.nsf file 391, 455, 462 pdproxycfg utility 583
39
O
object space configuration model 235 ObjectGrid 280 online publications accessing xii options files base system 607 prerequisite system 607 session management system 609 ordering publications xiii organizational certificate authority object 495 osdef.conf configuration file 232 overall cluster topology 516 overview Access Manager ADK 8 Access Manager License 7 Access Manager Plug-in for Edge Server 8 Access Manager Plug-in for Web Servers 8 Access Manager Runtime 6 Access Manager Runtime for Java 6 Access Manager WebSEAL 8 ADK 5 attribute retrieval service 8 authorization server 5 FIPS 10 GSKit 10 IBM Java Runtime 11 IBM Tivoli Directory Server 11 installation 3 installation wizards 23 languages supported 36 policy proxy server 5 policy server 6 secure domain 4 session management command line 9
674
pdsmsclicfg configure 586 pdversion utility 589 pdwebpi.conf configuration file 242 pdwpicfg utility 591 permissions primary HACMP server 530 standby HACMP server 533 personal certificates Tivoli Directory Server 476, 505 pkgadd (Solaris on x86_64) command 187 pkgadd (Solaris) command 187 plug-in for Apache Web Server 245 plug-in for Edge Server 228 plug-in for IBM HTTP Server 250 plug-in for Sun Java System Web Server 256 Web security development (ADK) 264 pkgadd command 78 pkmspasswd command 107 planning for deployment 3 planning for installation 1 plug-in for Apache Web Server installing on AIX 242 installing on Linux 244 installing on Solaris 245 uninstalling on Linux 355 uninstalling on Solaris 356 uninstalling on Solaris on x86_64 356 plug-in for Edge Server configuration overview 231 configuration procedure 237 installation components 18 installing on AIX 226 installing on Linux 227 installing on Solaris 228 installing on Windows 230 object space configuration model 235 preinstallation requirements 225 server configuration concepts 233 server configuration model 232 setting up 225 single sign-on configuration model 236 Plug-in for Edge Server pdconfig options 461 plug-in for IBM HTTP Server installation components 18 installing on AIX 247 installing on Linux 249 installing on Solaris 250 installing on Windows 252 uninstalling on AIX 352 uninstalling on Linux 355 uninstalling on Solaris 356 uninstalling on Solaris on x86_64 356 plug-in for IIS installation components 18 plug-in for Internet Information Services installing on Windows 253 uninstalling on Windows 358 plug-in for Sun Java System Web Server installation components 19 installing on AIX 254 installing on Solaris 256 uninstalling on AIX 352 uninstalling on Solaris 356 uninstalling on Solaris on x86_64 356
plug-in for Web servers installing using native utilities 242 installing using the wizard 241 setting up 239 uninstalling on AIX 353 uninstalling on HP-UX 354 uninstalling on Linux 356 uninstalling on Solaris 357 uninstalling on Windows 358 plug-in for Web Servers configuration options 435 preinstallation requirements 239 uninstalling on AIX 352 uninstalling on Windows 358 Plug-in for Web Servers pdconfig options (UNIX) 462 pdconfig options (Windows) 464 uninstalling on Linux 355 uninstalling on Solaris 356 uninstalling on Solaris on x86_64 356 plug-ins for Apache Web Server 24 for Apache Web Servers 18 for Edge Server 8, 18 for IBM HTTP Server 18, 24 for IIS 18, 24 for Sun ONE Web Server 19, 24 for Web Servers 8 policy proxy server configuration options 404 installation components 16 installing on AIX 183 installing on HP-UX 184 installing on HP-UX on Integrity 184 installing on Linux 185 installing on Solaris 187 installing on Solaris on x86_64 187 installing on Windows 188 installing using native utilities 182 installing using the wizard 181 local host name 467 overview 5 pdconfig options 467 setting up 181 uninstalling on AIX 352 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 355 uninstalling on Solaris 356 uninstalling on Solaris on x86_64 356, 357 uninstalling on Windows 358 policy server configuration options 399 creating a standby 523 domain information 459 host name 380, 449, 458, 459, 467 host name (Active Directory) 385, 452 host name (Domino) 390, 456 installation components 16 installation scenario 369 installing on AIX 142 installing on HP-UX 144 installing on HP-UX on Integrity 144 installing on Linux 146 installing on Solaris 147 installing on Solaris on x86_64 147 installing on Windows 149 Index
675
policy server (continued) installing using native utilities 142 installing using the wizard 141 listening port (Active Directory) 385, 452 listening port (Domino) 390, 456 overview 6 pdconfig options 465 port number 458, 459, 467 setting up 137 setting up a standby 511 SSL port 373 SSL port number 380, 449, 465 uninstalling on AIX 352 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 355 uninstalling on Solaris 357 uninstalling on Windows 358 port authorization request 458 Edge Server 461 HTTP 471 HTTPS 471 LDAP server 380, 449 policy server 458, 459, 467 Web Traffic Express 461 port numbers needed during installation 33 port, SSL LDAP server 463 policy server 380, 449, 465 ports LDAP server 372 policy server SSL 373 SSL 373 preinstallation requirements HACMP 512 plug-in for Edge Server 225 plug-in for Web servers 239 prerequisite products 10 installing GSKit 311 installing IBM Java Runtime 318 installing IBM Tivoli Directory Server client 327 installing the WebSphere Application Server 333 installing Tivoli Security Utilities 323 installing Web Administration Tool 338 prerequisite systems options files 607 primary HACMP server 527, 529, 530 procedure, plug-in for Edge Server configuration 237 process, installation 21 proxy request port 467 ps command 132 publications ix accessing online xii ordering xiii
Q
query_contents utility 236
R
Red Hat Enterprise Linux installing the plug-in for Edge Server Regional setting, for Windows 46 227
registries 13 IBM Tivoli Directory Server 13 IBM z/OS LDAP Server 13 Lotus Domino 13 Microsoft Active Directory 13, 114 Microsoft Active Directory Application Mode Novell eDirectory 14 Sun Java System Directory Server 14, 132 system requirements 13 registry Active Directory 382, 451 Domino 389, 455 LDAP 378, 448 registry server configuring SSL 474 listening port, SSL 387, 449, 452 registry servers IBM Tivoli Directory Server 54 IBM z/OS LDAP Server 105 Lotus Domino 108 Microsoft Active Directory Application Mode Novell eDirectory 127 setting up 53 removing See uninstalling removing packages See uninstalling replication Microsoft Active Directory 119 request ports administration 458, 467 authorization 458 proxy 467 required components Access Manager Runtime 16 Access Manager Runtime for Java 16 attribute retrieval service 17 authorization server 15 development (ADK) system 15 IBM Tivoli Directory Server 16 plug-in for Apache Web Server 18 plug-in for Edge Server 18 plug-in for IBM HTTP Server 18 plug-in for IIS 18 plug-in for Sun Java System Web Server 19 policy proxy server 16 policy server 16 session management command line 20 session management server 19 Web Portal Manager 16 Web security development (ADK) 17 WebSEAL 17 requirements HACMP 512 response file mode installation 25 response files template 609 Web Security system 608 restore data backing up 574 extracting 574 restoring 574 Rock Ridge, mount command 37, 319 root administrator ID 457 rpm (Linux) command plug-in for Apache Web Server 244 plug-in for Edge Server 227
14
119
676
rpm (Linux) command (continued) plug-in for IBM HTTP Server 249 Web security development (ADK) 263 rpm command 72 rspfile directory 607, 609 runtime See TAM runtime runtime system installation components 16 installing using native utilities 193 setting up Access Manager Runtime 191 runtime, Java See Access Manager Runtime for Java runtimes Access Manager Runtime 6, 191 Access Manager Runtime for Java 6, 173 Access Manager Web Security Runtime 8
S
sample key database file 360 sample key file 58, 369 scenarios HACMP environment 513 install_ammgr wizard 369 install_ldap_server wizard 360, 361 schema files IBM z/OS LDAP Server 106 scripts linking files and directories 529 linking from AIX files to shared directory 532 setting UIDs 527 sec_master 458, 461, 462, 464, 465, 467, 470, 471 secAuthority=Default 135 secAuthority=Default suffix 104 secure domain overview 4 Secure Sockets Layer See SSL security options setting 485 self-signed certificates 478, 507 Novell eDirectory server 496 server and client authentication 480, 504 server authentication 480 server authentication, LDAP 504 server certificate 498, 499 server configuration concepts 233 server configuration model 232 server name Domino 391, 455 server utilities idscfgsuf 100 servers Access Manager Authorization Server 5 Access Manager Plug-in for Edge Server 8 Access Manager Plug-in for Web Servers 8 Access Manager Policy Proxy Server 5 Access Manager Policy Server 6 Access Manager Session Management Server 9 Access Manager WebSEAL 8 session management command line Access Manager component 9 configuration options 420 installation components 20 installing on AIX 298 installing on HP-UX 299
session management command line (continued) installing on Linux 301 installing on Solaris 302 installing on Windows 304 installing using native utilities 298 installing using the wizard 296 setting up 295 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 355 uninstalling on Solaris 357 uninstalling on Solaris on x86_64 357 uninstalling on Windows 358 Session Management Command Line uninstalling on AIX 352 session management components 9 session management server 9 session management server Access Manager component 9 configuration options 409 installation components 19 installing on AIX 285 installing on HP-UX 286 installing on Linux 287 installing on Solaris 287 installing on Windows 288 installing using native utilities 285 installing using the wizard 282 setting up 279 uninstalling on Windows 358 Session Management Server uninstalling on AIX 352 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 355 uninstalling on Solaris 357 uninstalling on Solaris on x86_64 357 session management server installation 279 session management systems options files 609 setting security options for Tivoli Directory Server 485 setting UIDs 527 setting up Access Manager Runtime 191 Access Manager Runtime for Java 173 attribute retrieval service 219 development (ADK) system 163 IBM Tivoli Directory Server 54 IBM z/OS LDAP Server 105 iKeyman utility 315 Lotus Domino 108 Microsoft Active Directory 114 Microsoft Active Directory Application Mode 119 Novell eDirectory 127 plug-in for Edge Server 225 plug-in for Web servers 239 policy proxy server 181 policy server 137 prerequisite products 311 registry server 53 session management command line 295 session management server 279 standby policy server 511 Sun Java System Directory Server 132 Web Security ADK system 259 WebSEAL 267 Index
677
setup.exe (Windows) command 188 plug-in for Edge Server 230 plug-in for Internet Information Services 253 Web security development (ADK) 265 signer certificate 497 signer certificates Tivoli Directory Server 478, 507 silent installations 607 silent mode installation 25 single sign-on configuration model 236 slapd.conf 485 SMS See session management server SMS CLI See session management command line smscfg utility 594 SNMP requirement for IBM Tivoli Directory Integrator 65, 69, 75, 80, 86 soft links primary HACMP server 530 standby HACMP server 533 software updates, receiving 646 Solaris installing a development (ADK) system 168 installing a policy proxy server 187 installing Access Manager Runtime 197 installing Access Manager Runtime for Java 178 installing GSKit 314 installing IBM Java Runtime 321 installing IBM Tivoli Directory Server 78 installing session management command line 302 installing session management server 287 installing the attribute retrieval service 223 installing the authorization server 159 installing the plug-in for Apache Web Server 245 installing the plug-in for Edge Server 228 installing the plug-in for IBM HTTP Server 250 installing the plug-in for Sun Java System Web Server 256 installing the policy server 147 installing the Tivoli Directory Server client 330 installing the Web security development (ADK) 264 installing Tivoli Security Utilities 325 installing Web Administration Tool 341 installing Web Portal Manager 211 installing WebSEAL 273 installing WebSphere Application Server 336 uninstalling components 356 Solaris on x86_64 installing a development (ADK) system 168 installing a policy proxy server 187 installing Access Manager Runtime 197 installing Access Manager Runtime for Java 178 installing GSKit 314 installing IBM Java Runtime 321 installing the authorization server 159 installing the policy server 147 installing the Tivoli Directory Server client 330 installing the Web security development (ADK) 264 installing Tivoli Security Utilities 325 installing Web Administration Tool 341 installing Web Portal Manager 211 installing WebSphere Application Server 336 uninstalling components 356 Solaris x86_64 installing WebSEAL 273
SSL certificate label 453 certificate lifecycle 373, 465 client certificate label 463, 472 configuring for Active Directory Application Mode 491 configuring for IBM z/OS 485 configuring for LDAP server 504 configuring for Microsoft Active Directory 488 configuring for Novell eDirectory server 495 configuring for Sun Java System Directory Server 498 configuring for Tivoli Directory Server 474 connection timeout 373, 465 enabling for Edge Server 462 enabling on Tivoli Directory Server 480 IBM Global Security Kit (GSKit) 311 LDAP client key file 463 policy server 380, 449 port 373 testing access on the LDAP server 489, 509 testing access on the Tivoli Directory Server client 503 verifying operation 482 SSL configuration for Active Directory Application Mode 491 for IBM z/OS 485 for LDAP server 504 for Microsoft Active Directory 488 for Novell eDirectory server 495 for Sun Java System Directory Server 498 SSL key file certificate label 366, 373 full path 365 password 365 SSL port 365 standby HACMP server 527, 532, 533 standby policy server 137 creating 523 setting up 511 stanza entries doAudit 548 startServer command 101 startServer.bat command 343 step-by-step installation IBM Tivoli Directory Server 360 suffix adding idscfgsuf 100 suffix, user-defined 364 suffixes IBM z/OS LDAP Server 106 suffixes (Tivoli Directory Server) adding 104 Sun Java System Directory Server configuring SSL 498 documentation 132 LDAP_ADMINLIMIT_EXCEEDED 638 look-through limit 638 registry 14 setting up 132 Sun Java System Web Server uninstalling on AIX 352 Sun ONE Directory Server See Sun Java System Directory Server support See customer support support for languages installing 37 installing for IBM Tivoli Directory Server 39
678
support for languages (continued) uninstalling 44 svrsslcfg add replica 601 change certificate 601 change password 601 change port 601 change replica 601 configure 601 modify 601 remove replica 601 unconfigure 601 swinstall (HP-UX) command Web security development (ADK) swinstall command installing language packages 40 system requirements 13 registries 13 systems base systems 15 session management systems 19 Web security systems 17
262
T
templates response file 609 testing SSL 489, 503, 509 text encoding See code sets text-based mode installation 25 timeout, connection 465 Tivoli Access Manager 13 base system installation 53 base systems 15 configuration commands 547 database name 391, 455 default domain 380, 449 default port numbers 33 installation components 5 installing prerequisite products 311 language support packages 35 policy proxy server 181 policy server scenario 369 registry scenario 360 required IDs and groups 30 session management systems 19, 279 setting up an attribute retrieval service 219 setting up the authorization server 153 setting up the plug-in for Edge Server 225 setting up the plug-in for Web servers 239 unconfiguring components 348 unconfiguring for Tivoli Directory Server 349 Web security components 8 Web security system installation 219 Web security systems 17 Tivoli Access Manager runtime See also Access Manager Runtime installing using native utilities 193 Tivoli Access Manager Runtime for Java See Access Manager Runtime for Java Tivoli Access Manager Session Management Command Line See session management command line Tivoli Access Manager session management server See session management server Tivoli Access Manager system installing a Lotus Notes client 112
Tivoli Access Manager WebSEAL See WebSEAL Tivoli Common Directory directory name 460 directory names 379 enabling 379, 383, 448, 453, 456 installation directory 454 trace and message logs 459 Tivoli Configuration Manager overview 26 Tivoli Directory Server backing up the instance 99 configuration options 442 configuring a suffix 99 configuring for Tivoli Access Manager 100 creating key database file 474, 501 documentation 54 enabling FIPS 483 exporting certificate 488 installation scenario 360 installing on Windows 83 pre-installation requirements 360 starting administration daemon 481 starting server 481 stopping administration daemon 481 stopping server 481 unconfiguring 349 uninstalling on AIX 352 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 354 uninstalling on Solaris 356 uninstalling on Solaris on x86_64 356 uninstalling on Windows 358 Tivoli Directory Server client creating key database file 504 installing 327 installing on AIX 327 installing on HP-UX 328 installing on HP-UX on Integrity 328 installing on Linux 329 installing on Solaris 330 installing on Solaris on x86_64 330 installing on Windows 331 overview 11 uninstalling on AIX 351 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 354 uninstalling on Solaris 356 uninstalling on Solaris on x86_64 356 Tivoli Directory Server installation packages AIX 63, 328 Tivoli Directory Server interface See Web Administration Tool Tivoli Directory Server packages, installation AIX 63, 328 Tivoli Information Center xii Tivoli Security Utilities 323 installing 323 installing on AIX 323 installing on HP-UX 323 installing on Linux 324 installing on Solaris 325 installing on Solaris on x86_64 325 installing on Windows 326 overview 7 Index
679
Tivoli Security Utilities (continued) uninstalling on AIX 352 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 355 uninstalling on Solaris 357 uninstalling on Solaris on x86_64 357 uninstalling on Windows 358 Tivoli technical training xiii Tivoli user groups xiii tools ivrgy_tool 106, 130 ldp 488 Novell eDirectory ConsoleOne 127 Novell iManager 127 Tivoli Directory Server Web Administration Tool topology, HACMP application server definition 522 cluster resources 518 overall cluster 516 trace and message logs common log file location 459 training, Tivoli technical xiii typeface conventions xiv types of Tivoli Access Manager systems 15
101
U
unconfiguring Tivoli Access Manager components 348 Tivoli Directory Server 349 Unicode 50 uninstallation language support 44 uninstalling components on AIX 351 components on HP-UX 353 components on HP-UX on Integrity 353 components on Linux 354 components on Solaris 356 components on Solaris on x86_64 356 components on Windows 357 UNIX code set file location 50 LANG variable 47 language support package location 44 message catalogs 49 Plug-in for Web Servers pdconfig options text encoding 50 uninstall language support packages 44 virtual hosts 462 Web Servers path name 462 user groups, Tivoli xiii user IDs required for Tivoli Access Manager 30 user IDs, required See administrator IDs user registries See registries user registry Active Directory 382, 451 differences 637 Domino 389 LDAP 378, 448 maximum values 641 user-defined suffix 364
UTF-8 encoding 50 utilities See also commands amauditcfg 548 amwebcfg 552 amwpmcfg 557 bassslcfg 561 command line idscfgdb 98 idscfgsuf 100 idsidrop 350 GSKit iKeyman 22, 315 install component executable files install_amacld 565 install_amadk 565 install_amjrte 566 install_ammgr 566 install_amproxy 566 install_amrte 566 install_amweb 566 install_amwebadk 566 install_amwebars 567 install_amwpi 567 install_amwpm 567 install_ldap_server 567 ivrgy_tool 569 mgrsslcfg 572 native installation 26 pdbackup 574 pdconfig 578 pdinfo (deprecated) 574 pdjrtecfg 579 pdproxycfg 583 pdsmsclicfg 586 pdversion 589 pdwpicfg 591 query_contents 236 sms 568 smscfg 594 smscli 568 svrsslcfg 601 wesosm 227
564
V
462 variables LANG 46 LANG with UNIX 47 LANG with Windows 48 NLSPATH 49 variables, notation for xv variants, language locales 48 verifying primary server directories, links and permissions 530 standby server directories, links and permissions 533 virtual hosts 464 Web Servers (UNIX) 462
W
WAS See WebSphere Application Server Web Administration Tool installing 338 installing on AIX 338 installing on HP-UX 339
680
Web Administration Tool (continued) installing on HP-UX on Integrity 339 installing on Linux 340 installing on Solaris 341 installing on Solaris on x86_64 341 installing on Windows 342 overview 11 using 101 Web document root directory 471 Web Portal Manager 216 configuration options 439 configure using amwpmcfg 557 installation components 16 installing on AIX 204 installing on HP-UX 206 installing on Linux 208 installing on Solaris 211 installing on Solaris on x86_64 211 installing on Windows 214 installing using native utilities 203 installing using the wizard 201 overview 7 pdconfig options 468 uninstalling on AIX 352 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 355 uninstalling on Solaris 357 uninstalling on Solaris on x86_64 357 uninstalling on Windows 358 Web Security ADK configuration options 430 setting up a development system 259 uninstalling on AIX 352 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 355 uninstalling on Solaris 357 uninstalling on Solaris on x86_64 357 uninstalling on Windows 358 Web security components Access Manager ADK 8 Access Manager Plug-in for Edge Server 8 Access Manager Plug-in for Web Servers 8 Access Manager WebSEAL 8 attribute retrieval service 8 Web Security components Access Manager Web Security Runtime 8 Web security development (ADK) installation components 17 installing on AIX 261 installing on HP-UX 262 installing on HP-UX on Integrity 262 installing on Linux 263 installing on Solaris 264 installing on Solaris on x86_64 264 installing on Windows 265 installing using native utilities 260 installing using the wizard 259 Web Security Runtime uninstalling on AIX 352 uninstalling on HP-UX 353, 355 uninstalling on HP-UX on Integrity 353 uninstalling on Solaris 357 uninstalling on Solaris on x86_64 357 uninstalling on Windows 358
Web Security system response files 608 Web security system installation 219 Web Servers pdconfig options (UNIX) 462 pdconfig options (Windows) 464 uninstalling on AIX 352 Web Traffic Express 461 WebSEAL configuration options 424 host name 471 installation components 17 installing on AIX 269 installing on HP-UX 270 installing on HP-UX on Integrity 270 installing on Linux 272 installing on Solaris 273 installing on Solaris x86_64 273 installing on Windows 275 installing using native utilities 269 installing using the wizard 267 instance name 471 listening port 471 pdconfig options 471 setting up 267 uninstalling on AIX 352 uninstalling on HP-UX 353 uninstalling on HP-UX on Integrity 353 uninstalling on Linux 355 uninstalling on Solaris 357 uninstalling on Solaris on x86_64 357 uninstalling on Windows 358 WebSphere Application Server install.exe command 337 installing 333 installing on AIX 333 installing on HP-UX 334 installing on HP-UX on Integrity 334 installing on Linux 335 installing on Solaris 336 installing on Solaris on x86_64 336 installing on Windows 336 overview 12 startServer.bat command 343 uninstalling on AIX 352 uninstalling on HP-UX 354 uninstalling on Linux 356 uninstalling on Solaris 357 uninstalling on Windows 358 WebSphere Application Server security 216 wesosm utility 227 Windows code set file location 50 installing a development (ADK) system 170 installing a policy proxy server 188 installing Access Manager Runtime 199 installing Access Manager Runtime for Java 180 installing GSKit 315 installing IBM Java Runtime 321 installing session management command line 304 installing session management server 288 installing the attribute retrieval service 223 installing the authorization server 161 installing the plug-in for Edge Server 230 installing the plug-in for Internet Information Services installing the policy server 149 installing the Tivoli Directory Server client 331 Index
253
681
Windows (continued) installing the Web security development (ADK) 265 installing the WebSphere Application Server 336 installing Tivoli Directory Server 83 installing Tivoli Security Utilities 252, 326 installing Web Administration Tool 342 installing Web Portal Manager 214 installing WebSEAL 275 LANG variable 48 language support package location 44 message catalogs 49 Plug-in for Web Servers pdconfig options 464 text encoding 50 uninstall language support packages 44 uninstalling components 357 wizards See installation wizards WPM See Web Portal Manager
Z
z/OS See IBM z/OS
682
Printed in USA
GC23-6502-01

Am611 Install

Uploaded by

Document Informationclick to expand document informationThis edition applies to version 6, release 1, modification 1 of IBM Tivoli Access Manager (product number 5724-c87) read the information in appendix D, "notices," on page 651.

Document Informationclick to expand document information

Copyright:

Available Formats

Am611 Install

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Am611 Install

Uploaded by

Copyright:

Available Formats

Tivoli Access Manager for e-business

Tivoli Access Manager for e-business

Part 1. Planning for installation . . . 1

Part 2. Base system installation . . 51

Copyright IBM Corp. 2001, 2010

. 173 . 175 . 175 . 176 . 177 . 178 . 180

Chapter 8. Setting up a policy proxy server system . . . . . . . . . . . 181

Chapter 4. Setting up a policy server

Chapter 9. Setting up a runtime system . . . . . . . . . . . . . . 191

Chapter 10. Setting up a Web Portal Manager system . . . . . . . . . . 201

Chapter 5. Setting up an authorization server . . . . . . . . . . . . . . 153

Chapter 6. Setting up a development system . . . . . . . . . . . . . . 163

Part 3. Web security system installation . . . . . . . . . . . . 217

Chapter 7. Setting up an Access Manager Runtime for Java system . . 173 iv

Chapter 16. Setting up a session management server . . . . . . . . 279

Chapter 12. Setting up the plug-in for Edge Server . . . . . . . . . . . . 225

Chapter 13. Setting up the plug-in for Web servers . . . . . . . . . . . . 239

Chapter 17. Setting up the session management command line . . . . . 295

Chapter 14. Setting up a Web security development system . . . . . . . . 259

Part 5. Reference information . . . 307

Chapter 15. Setting up WebSEAL . . . 267

Part 4. Session management system installation . . . . . . . . 277

Chapter 21. Installation wizard options 377

Chapter 22. pdconfig options

Chapter 23. Enabling Secure Sockets Layer (SSL) security . . . . . . . . 473

Chapter 19. Uninstalling components

Chapter 20. Installation wizard scenarios . . . . . . . . . . . . . 359

Tivoli Access Manager Installation Guide

Chapter 25. Setting up a Tivoli Directory Server proxy environment

. 538 539 . 540 . 542 . 543 . 544 . 545 . 545

Chapter 26. Tivoli Access Manager utilities . . . . . . . . . . . . . . 547

Chapter 27. Using response files . . . 607

Chapter 24. AIX: Setting up a standby policy server. . . . . . . . . . . . 511

. 527 . 529 . 530 . 532 . 533

629 629 629 631 632

Tivoli Access Manager registry adapter limitations

Appendix D. Notices . . . . . . . . 651

Glossary . . . . . . . . . . . . . 655 Index . . . . . . . . . . . . . . . 665

Appendix C. Support information . . . 645

Tivoli Access Manager Installation Guide

About this publication

IBM Tivoli Access Manager for e-business library

Tivoli Access Manager Installation Guide

Related products and publications

IBM Global Security Kit

IBM Tivoli Directory Server

IBM Tivoli Directory Integrator

IBM DB2 Universal Database

About this publication

IBM WebSphere Application Server

Accessing terminology online

Accessing publications online

Tivoli Access Manager Installation Guide

Tivoli technical training

Tivoli user groups

Conventions used in this publication

Tivoli Access Manager Installation Guide

Operating system-dependent variables and paths